PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46822 Oracle Corporation CVE debrief

A critical vulnerability in Oracle iAssets (Oracle E-Business Suite component: Internal Operations) allows low-privileged attackers with network access to achieve complete system takeover. The vulnerability affects versions 12.2.3 through 12.2.15 and carries a CVSS 3.1 score of 9.9 due to its network attack vector, low attack complexity, and scope change to additional products. Successful exploitation enables attackers to compromise confidentiality, integrity, and availability of Oracle iAssets and potentially other integrated systems. The scope change indicator (S:C) suggests this vulnerability may serve as a pivot point for broader compromise within Oracle E-Business Suite environments.

Vendor
Oracle Corporation
Product
Oracle iAssets
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Oracle E-Business Suite with iAssets module versions 12.2.3-12.2.15, particularly those with externally accessible HTTP interfaces or multi-product Oracle environments where scope change could amplify impact.

Technical summary

Oracle iAssets in Oracle E-Business Suite versions 12.2.3-12.2.15 contains an easily exploitable vulnerability in its Internal Operations component. Low-privileged attackers with HTTP network access can compromise the application and achieve complete takeover. The vulnerability's scope change characteristic indicates attacks may extend impact to additional Oracle products beyond iAssets. CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Defensive priority

critical

Recommended defensive actions

  • Apply Oracle Critical Patch Update for May 2026 immediately to affected iAssets 12.2.3-12.2.15 instances
  • Restrict network access to Oracle iAssets administrative interfaces to authorized administrative hosts only
  • Review Oracle E-Business Suite integration points for potential scope change impact
  • Monitor Oracle security alerts for additional guidance on this vulnerability
  • Validate that compensating controls are in place if patching cannot be performed immediately

Evidence notes

Oracle's official security advisory confirms affected versions and CVSS scoring. The scope change designation indicates potential for cross-product impact within Oracle E-Business Suite deployments.

Official resources

Oracle disclosed this vulnerability on May 28, 2026, through its Critical Patch Update security advisory. No known exploitation in the wild has been reported at time of disclosure.