CVE-2026-46823 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle E-Business Suite with Public Sector Financials (International) versions 12.2.6-12.2.15, particularly government and public sector entities, financial administrators, and Oracle EBS security teams responsible for maintaining authorization controls and data access governance.

Technical summary

The vulnerability exists in the Authorization component of Oracle Public Sector Financials (International), a module within Oracle E-Business Suite. The flaw allows low-privileged authenticated attackers to exploit the authorization mechanism over HTTPS, resulting in unauthorized access to critical data. The CVSS scope change metric (S:C) indicates that successful attacks may extend beyond the vulnerable component to affect additional products within the Oracle E-Business Suite environment. The vulnerability is rated HIGH severity with a base score of 7.7, primarily impacting confidentiality with no integrity or availability impacts.

Defensive priority

HIGH

Recommended defensive actions

• Apply Oracle Critical Patch Update (CPU) for May 2026 as soon as available
• Review and restrict HTTPS access to Oracle Public Sector Financials (International) components
• Audit user privileges and implement principle of least privilege for E-Business Suite accounts
• Monitor for unauthorized data access attempts across Oracle E-Business Suite products
• Validate scope of impact given S:C CVSS metric indicating potential cross-product effects

Evidence notes

Oracle Critical Patch Update advisory published May 2026. NVD record received 2026-05-28. No known exploitation in the wild (KEV: false).

Official resources