CVE-2026-46939: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. in Oracle Corporation Oracle Configure to Order
CVE-2026-46939 is a high-severity vulnerability in Oracle Configure to Order, part of Oracle E-Business Suite. It affects versions 12.2.3 through 12.2.15. The flaw allows a low-privileged attacker with network access via HTTP to compromise the product, resulting in unauthorized creation, deletion, or modification of critical data. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high impact on confidentiality and integrity without affecting availability. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which contains multiple security fixes across Oracle products. Oracle strongly recommends applying the patch promptly to mitigate the risk. No specific exploit in the wild is currently known.
AI Analysis
Technical Summary
This vulnerability in Oracle Configure to Order (component: Supply to Order Workbench) allows a low-privileged attacker with network access via HTTP to perform unauthorized actions on critical data, including creation, deletion, or modification. The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15. It has a CVSS 3.1 score of 8.1 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impact. The June 2026 Oracle Critical Security Patch Update addresses this vulnerability among 245 others. Oracle advises customers to apply the patch immediately to prevent exploitation.
Potential Impact
Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data within Oracle Configure to Order, compromising confidentiality and integrity of all accessible data. This could allow an attacker to manipulate or access sensitive business data without authorization. Availability is not impacted according to the CVSS vector. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that includes a fix for this vulnerability. Customers are strongly advised to apply this patch promptly to mitigate the risk. Until the patch is applied, risk may be reduced by blocking network protocols required for the attack and by removing unnecessary privileges from users. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory.
CVE-2026-46939: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. in Oracle Corporation Oracle Configure to Order
Description
CVE-2026-46939 is a high-severity vulnerability in Oracle Configure to Order, part of Oracle E-Business Suite. It affects versions 12.2.3 through 12.2.15. The flaw allows a low-privileged attacker with network access via HTTP to compromise the product, resulting in unauthorized creation, deletion, or modification of critical data. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high impact on confidentiality and integrity without affecting availability. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which contains multiple security fixes across Oracle products. Oracle strongly recommends applying the patch promptly to mitigate the risk. No specific exploit in the wild is currently known.
CVSS v3.1
Score 8.1high
Affected software
pkg:maven/com.oracle/ConfigureToOrderRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Oracle Configure to Order (component: Supply to Order Workbench) allows a low-privileged attacker with network access via HTTP to perform unauthorized actions on critical data, including creation, deletion, or modification. The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15. It has a CVSS 3.1 score of 8.1 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impact. The June 2026 Oracle Critical Security Patch Update addresses this vulnerability among 245 others. Oracle advises customers to apply the patch immediately to prevent exploitation.
Potential Impact
Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data within Oracle Configure to Order, compromising confidentiality and integrity of all accessible data. This could allow an attacker to manipulate or access sensitive business data without authorization. Availability is not impacted according to the CVSS vector. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that includes a fix for this vulnerability. Customers are strongly advised to apply this patch promptly to mitigate the risk. Until the patch is applied, risk may be reduced by blocking network protocols required for the attack and by removing unnecessary privileges from users. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.312Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b62d0b89be68882666f1
Added to database: 6/16/2026, 8:46:37 PM
Last enriched: 6/16/2026, 9:16:22 PM
Last updated: 6/17/2026, 4:58:30 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.