CVE-2026-46946: Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. in Oracle Corporation Oracle iSupport
CVE-2026-46946 is a critical vulnerability in Oracle iSupport, part of Oracle E-Business Suite (versions 12.2.3 through 12.2.15). It allows a high privileged attacker with network access via HTTP to compromise Oracle iSupport, potentially leading to full takeover. The vulnerability also has a scope change impact, potentially affecting additional Oracle products. The CVSS 3.1 base score is 9.1, indicating severe confidentiality, integrity, and availability impacts. Oracle has released a Critical Security Patch Update advisory recommending prompt patching. No explicit patch version is stated for Oracle iSupport in the advisory, but customers are urged to apply the June 2026 Critical Security Patch Update without delay. Mitigations include blocking required network protocols and removing unnecessary privileges until patches are applied. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
This vulnerability affects Oracle iSupport within Oracle E-Business Suite versions 12.2.3 to 12.2.15. It is easily exploitable by a high privileged attacker with network access over HTTP, allowing compromise and takeover of Oracle iSupport. The vulnerability also has a scope change, meaning exploitation may impact additional Oracle products beyond iSupport. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects network attack vector, low attack complexity, high privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability. Oracle’s June 2026 Critical Security Patch Update advisory covers this vulnerability among 245 patches. The advisory strongly recommends applying the update promptly to mitigate risk. Until patched, risk reduction may be achieved by blocking attack-related network protocols and removing unnecessary privileges from users. No specific patch version for Oracle iSupport is explicitly stated in the advisory content provided.
Potential Impact
Successful exploitation allows a high privileged attacker with network access via HTTP to fully compromise Oracle iSupport, resulting in complete takeover. The vulnerability impacts confidentiality, integrity, and availability of the affected system. Additionally, the scope change means that other Oracle products integrated or dependent on Oracle iSupport may also be significantly impacted by an attack. This represents a critical risk to organizations using affected versions of Oracle E-Business Suite.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to address this vulnerability. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation and by removing unnecessary privileges or access to sensitive packages from users who do not require them. These mitigations may affect application functionality, so they should be implemented with caution. Patch status is not explicitly confirmed for Oracle iSupport versions 12.2.3-12.2.15 in the advisory; therefore, customers should consult the official Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and instructions.
CVE-2026-46946: Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. in Oracle Corporation Oracle iSupport
Description
CVE-2026-46946 is a critical vulnerability in Oracle iSupport, part of Oracle E-Business Suite (versions 12.2.3 through 12.2.15). It allows a high privileged attacker with network access via HTTP to compromise Oracle iSupport, potentially leading to full takeover. The vulnerability also has a scope change impact, potentially affecting additional Oracle products. The CVSS 3.1 base score is 9.1, indicating severe confidentiality, integrity, and availability impacts. Oracle has released a Critical Security Patch Update advisory recommending prompt patching. No explicit patch version is stated for Oracle iSupport in the advisory, but customers are urged to apply the June 2026 Critical Security Patch Update without delay. Mitigations include blocking required network protocols and removing unnecessary privileges until patches are applied. There are no known exploits in the wild at this time.
CVSS v3.1
Score 9.1critical
Affected software
pkg:maven/com.oracle/iSupportRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle iSupport within Oracle E-Business Suite versions 12.2.3 to 12.2.15. It is easily exploitable by a high privileged attacker with network access over HTTP, allowing compromise and takeover of Oracle iSupport. The vulnerability also has a scope change, meaning exploitation may impact additional Oracle products beyond iSupport. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects network attack vector, low attack complexity, high privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability. Oracle’s June 2026 Critical Security Patch Update advisory covers this vulnerability among 245 patches. The advisory strongly recommends applying the update promptly to mitigate risk. Until patched, risk reduction may be achieved by blocking attack-related network protocols and removing unnecessary privileges from users. No specific patch version for Oracle iSupport is explicitly stated in the advisory content provided.
Potential Impact
Successful exploitation allows a high privileged attacker with network access via HTTP to fully compromise Oracle iSupport, resulting in complete takeover. The vulnerability impacts confidentiality, integrity, and availability of the affected system. Additionally, the scope change means that other Oracle products integrated or dependent on Oracle iSupport may also be significantly impacted by an attack. This represents a critical risk to organizations using affected versions of Oracle E-Business Suite.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to address this vulnerability. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation and by removing unnecessary privileges or access to sensitive packages from users who do not require them. These mitigations may affect application functionality, so they should be implemented with caution. Patch status is not explicitly confirmed for Oracle iSupport versions 12.2.3-12.2.15 in the advisory; therefore, customers should consult the official Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.313Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6300b89be68882667df
Added to database: 6/16/2026, 8:46:40 PM
Last enriched: 6/16/2026, 9:15:46 PM
Last updated: 6/17/2026, 5:12:04 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.