This vulnerability affects Oracle Human Resources within Oracle E-Business Suite versions 12.2.3 to 12.2.15. It is exploitable remotely over HTTP without authentication but requires high attack complexity and user interaction from someone other than the attacker. The impact includes potential full compromise of Oracle Human Resources, affecting confidentiality, integrity, and availability. The vulnerability is tracked as CVE-2026-46955 with a CVSS 3.1 score of 7.5. Oracle's June 2026 Critical Security Patch Update advisory references this vulnerability among 245 fixes but does not explicitly confirm a dedicated patch or workaround for it. Oracle advises customers to apply the full Critical Security Patch Update promptly to reduce risk. No known exploits in the wild have been reported at this time.

Successful exploitation can result in full takeover of Oracle Human Resources, impacting confidentiality, integrity, and availability of the system. The vulnerability allows unauthenticated network access via HTTP but requires human interaction from a third party, making exploitation difficult. The CVSS score of 7.5 reflects high impact on system security.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update as soon as possible to address this vulnerability along with others. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by restricting privileges or access to vulnerable components for users who do not need them. Oracle has not provided a specific patch or temporary fix for CVE-2026-46955 outside of the general Critical Security Patch Update. Customers should monitor Oracle advisories for updates and apply patches promptly.