This vulnerability affects Oracle Payroll component of Oracle E-Business Suite versions 12.2.3 through 12.2.15. It permits a low privileged attacker with network access via HTTP to compromise the system, resulting in unauthorized creation, deletion, or modification of critical data or complete access to all data accessible by Oracle Payroll. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) reflects network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impacts without availability impact. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 new security patches across multiple products including Oracle E-Business Suite. The vendor advisory emphasizes the importance of applying patches promptly and notes that blocking network protocols or removing privileges may reduce risk temporarily but are not substitutes for patching.

Successful exploitation allows unauthorized creation, deletion, or modification of critical or all Oracle Payroll accessible data, compromising confidentiality and integrity. This can lead to unauthorized access to sensitive payroll information and potential data manipulation. There is no reported impact on availability. No known exploits in the wild have been reported so far.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply these patches as soon as possible to fully remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or by removing unnecessary privileges from users, but these are temporary measures and may disrupt application functionality. Oracle strongly recommends testing any such changes in non-production environments. Staying on supported product versions and promptly applying security patches is critical.