CVE-2026-46821 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle E-Business Suite versions 12.2.3-12.2.15 with Financials Common Modules deployed, particularly those with integrated product environments where scope change could expand data exposure risk.

Technical summary

The vulnerability exists in Oracle Financials Common Modules (component: Common Components) and allows low-privileged attackers with network access via HTTP to compromise confidentiality of critical data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope affecting additional products, and high confidentiality impact with no integrity or availability impact.

Defensive priority

HIGH

Recommended defensive actions

• Apply Oracle Critical Patch Update for May 2026 to affected E-Business Suite installations
• Restrict network access to Oracle Financials Common Modules to authorized users only
• Review access logs for unauthorized data access attempts by low-privileged accounts
• Assess scope of accessible data across integrated Oracle products given S:C scope change
• Validate patch deployment across all affected versions (12.2.3-12.2.15)
• Monitor Oracle security alerts for additional guidance on this vulnerability

Evidence notes

Oracle's official security advisory confirms affected versions (12.2.3-12.2.15) and CVSS 3.1 scoring. NVD entry reflects identical technical details with vulnStatus 'Received'. No CISA KEV listing present.

Official resources