PatchSiren cyber security CVE debrief
CVE-2026-46818 Oracle Corporation CVE debrief
A high-severity vulnerability in Oracle E-Business Suite's Oracle Payments component (File Transmission) allows unauthenticated network attackers to compromise confidentiality and integrity of critical payment data. The vulnerability affects versions 12.2.3 through 12.2.15 and is rated CVSS 3.1 7.4 (High). While exploitation is rated as difficult (AC:H), successful attacks can result in unauthorized creation, deletion, or modification of critical data, as well as complete unauthorized access to all Oracle Payments accessible data. The attack vector is HTTPS-based network access with no authentication required. Notably, availability impact is none (A:N), distinguishing this from more destructive vulnerabilities. Organizations should prioritize patching given the financial data exposure risk, though the high attack complexity may limit immediate widespread exploitation.
- Vendor
- Oracle Corporation
- Product
- Oracle Payments
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Oracle E-Business Suite 12.2.3-12.2.15 with Oracle Payments module enabled, particularly those processing financial transactions through File Transmission functionality. Security teams responsible for ERP security, payment card industry (PCI) compliance officers, and Oracle EBS administrators should prioritize assessment.
Technical summary
Vulnerability in Oracle Payments File Transmission component of Oracle E-Business Suite. Unauthenticated HTTPS network access enables attackers with difficulty to achieve unauthorized CRUD operations on critical payment data. CVSS 3.1: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Affects versions 12.2.3-12.2.15.
Defensive priority
HIGH
Recommended defensive actions
- Apply Oracle Critical Patch Update (CPU) for May 2026 addressing CVE-2026-46818 to affected E-Business Suite 12.2.3-12.2.15 environments
- Restrict network access to Oracle Payments File Transmission endpoints to authorized administrative hosts only
- Monitor HTTPS access logs to Oracle Payments components for anomalous unauthenticated request patterns
- Review Oracle Payments data access logs for unauthorized creation, deletion, or modification events
- Validate integrity of critical payment configuration and transaction data in affected environments
- Coordinate patching with Oracle E-Business Suite maintenance windows due to potential service impact
Evidence notes
Vulnerability confirmed through Oracle's official security advisory. CVSS vector confirms network-based, unauthenticated attack with high complexity. Affected versions explicitly listed as 12.2.3-12.2.15. No CISA KEV listing at time of disclosure.
Official resources
-
CVE-2026-46818 CVE record
CVE.org
-
CVE-2026-46818 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Oracle disclosed this vulnerability on May 28, 2026 as part of their Critical Patch Update security advisory cycle.