This vulnerability affects Oracle Cost Management within Oracle E-Business Suite versions 12.2.3 to 12.2.15. It permits a low privileged attacker with network access over HTTP to compromise the system, leading to potential takeover of Oracle Cost Management. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Oracle has published this vulnerability as part of its June 2026 Critical Security Patch Update advisory. While no explicit patch link is provided in the input, Oracle strongly advises applying the Critical Security Patch Update to remediate this and other vulnerabilities. Mitigation options include blocking network protocols used in the attack and removing unnecessary privileges, though these may impact application functionality.

Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle Cost Management, resulting in complete takeover. The vulnerability impacts confidentiality, integrity, and availability of the affected system, as reflected by the high CVSS score of 8.8.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update, which includes patches addressing this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and removing unnecessary privileges from users. However, these mitigations may disrupt normal application functionality. Customers should prioritize patching to fully remediate the vulnerability.