PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46819 Oracle Corporation CVE debrief

A critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite's Internet Procurement Connector component allows network-based attackers to compromise confidentiality and integrity of all accessible data without authentication. The vulnerability affects versions 12.2.3 through 12.2.15 and carries a CVSS 3.1 base score of 9.1. Published by NVD on May 28, 2026, this vulnerability is classified as easily exploitable with low attack complexity, requiring no privileges or user interaction. The attack vector is network-based via HTTP. Successful exploitation enables unauthorized creation, deletion, or modification of critical data as well as unauthorized access to all accessible data within the Oracle Internet Procurement Connector. No availability impact is indicated. Oracle has issued a security alert as part of their Critical Patch Update.

Vendor
Oracle Corporation
Product
Oracle Internet Procurement Connector
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Oracle E-Business Suite with Internet Procurement Connector versions 12.2.3-12.2.15, particularly those with externally accessible procurement systems. Security teams responsible for Oracle application security, procurement system administrators, and compliance officers monitoring for critical vendor vulnerabilities should prioritize assessment and patching.

Technical summary

The Oracle Internet Procurement Connector component within Oracle E-Business Suite contains an easily exploitable vulnerability in its Internal Operations component. Unauthenticated attackers with network access can send HTTP requests to compromise the system. The vulnerability enables both unauthorized data access (confidentiality) and unauthorized data modification (integrity) across all Oracle Internet Procurement Connector accessible data. Attack complexity is low, no privileges are required, and no user interaction is needed. The attack scope is unchanged. Affected versions span 12.2.3 through 12.2.15. No availability impact is associated with this vulnerability.

Defensive priority

critical

Recommended defensive actions

  • Apply Oracle Critical Patch Update for May 2026 immediately to affected Oracle E-Business Suite Internet Procurement Connector installations
  • Restrict network access to Oracle Internet Procurement Connector endpoints to authorized administrative hosts only
  • Monitor HTTP access logs for anomalous unauthenticated requests to Internal Operations component endpoints
  • Review Oracle security alert cspumay2026 for specific patch availability and deployment guidance
  • Validate that affected versions 12.2.3-12.2.15 are not exposed to untrusted networks
  • Conduct integrity verification of critical data within Oracle Internet Procurement Connector if compromise is suspected

Evidence notes

Source: NVD modified feed with official Oracle security alert reference. CVSS vector confirmed as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. Affected product: Oracle Internet Procurement Connector, component Internal Operations, versions 12.2.3-12.2.15.

Official resources

Oracle disclosed this vulnerability through their Critical Patch Update security alert on May 28, 2026. The vulnerability was received by NVD on the same date with vulnStatus 'Received'. No CISA KEV listing is present.