CVE-2026-46817 — Oracle E-Business Suite Improper Privilege Management Vulnerability

CVE-2026-46817

Oracle E-Business Suite (Oracle Payments) — Unauthenticated Privilege Escalation and File Read via ibytransmit Endpoint

What is Oracle E-Business Suite?

Oracle E-Business Suite (EBS) is Oracle's on-premises enterprise resource planning (ERP) suite, covering financials, supply chain, HR, and payment processing for large organizations and government agencies. Oracle Payments, the affected module, handles the transmission and processing of payment instructions and funds capture between EBS and external payment systems and banks — meaning a compromise here sits directly on top of an organization's financial transaction flow. EBS deployments are typically deeply embedded in back-office operations and rarely exposed to casual scanning, but when they are internet-facing, they represent a high-value target for both financial fraud and broad ERP compromise.

Overview

CVE-2026-46817 is an improper privilege management vulnerability (CWE-269, alongside related weaknesses CWE-287 improper authentication and CWE-306 missing authentication for a critical function) in Oracle Payments within E-Business Suite. An unauthenticated attacker with network access via HTTP can reach an internal function directly, bypassing the authentication checks that would normally gate it, resulting in full compromise of the Oracle Payments module. It was patched in Oracle's May 2026 Critical Patch Update and added to CISA's KEV catalog roughly seven weeks later, on July 15, 2026, with a compressed 3-day remediation deadline reflecting confirmed active exploitation.

Affected Versions

Product Vulnerable Fixed
Oracle E-Business Suite (Oracle Payments) 12.2.3 – 12.2.15 Apply Oracle's May 2026 Critical Patch Update

Technical Details

The flaw is in Oracle Payments' File Transmission functionality, reachable via the /OA_HTML/ibytransmit endpoint. The endpoint invokes an internal Oracle Java class method directly rather than routing the request through EBS's normal authentication and authorization layer, letting an unauthenticated attacker call functionality that should require valid credentials. Security researchers demonstrated the flaw's impact via arbitrary file read (e.g., retrieving /etc/passwd), and the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects full confidentiality, integrity, and availability impact from a single unauthenticated network request with no user interaction.

Discovery

No researcher or organization has been publicly credited for CVE-2026-46817 in Oracle's advisory or in subsequent reporting — the disclosure appears to have followed Oracle's standard Critical Patch Update cycle rather than an independent named-researcher process.

Exploitation Context

CISA and third-party threat intelligence firm Defused Cyber confirmed the first in-the-wild exploitation attempts against Oracle EBS honeypots on June 27, 2026 — roughly six weeks after the May CPU shipped, and reportedly before any public proof-of-concept was available, suggesting the attackers reverse-engineered the patch or independently rediscovered the flaw. CISA's KEV addition on July 15, 2026 carried an unusually short 3-day remediation deadline (July 18), signaling a high assessed likelihood of continued mass exploitation against organizations that had not yet applied the May CPU.

Remediation

  1. Apply Oracle's May 2026 Critical Patch Update to all Oracle E-Business Suite environments running Oracle Payments (release 12.2.3–12.2.15) immediately if not already done.
  2. Restrict network access to the EBS web tier, and specifically to /OA_HTML/ibytransmit, from untrusted networks — EBS instances should not be broadly internet-exposed.
  3. Review web server access logs for unauthenticated requests to ibytransmit and other OA_HTML endpoints, especially requests attempting to read filesystem paths outside the application's expected scope.
  4. Audit Oracle Payments configuration and transaction data for signs of tampering if exploitation is suspected, given the module's role in payment processing.
  5. Treat any unpatched, internet-reachable EBS instance as potentially compromised if it was exposed prior to applying the patch, and rotate credentials and API keys used by the Payments integration.

Key Details

PropertyValue
CVE ID CVE-2026-46817
Vendor / Product Oracle — E-Business Suite
NVD Published2026-05-28
NVD Last Modified2026-07-16
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-269 find similar ↗
CISA KEV Added2026-07-15
CISA KEV Deadline2026-07-18
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-18. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-05-28CVE-2026-46817 published; patched in Oracle's May 2026 Critical Patch Update
2026-06-27First confirmed in-the-wild exploitation observed on Oracle EBS honeypots
2026-07-15Added to CISA Known Exploited Vulnerabilities catalog
2026-07-18CISA BOD 22-01 remediation deadline