CVE-2026-46837 Oracle Corporation CVE debrief

Who should care

Organizations running Oracle E-Business Suite Flow Manufacturing module versions 12.2.9-12.2.15; database administrators; application security teams; compliance officers tracking Oracle patch status

Technical summary

Oracle Flow Manufacturing in Oracle E-Business Suite versions 12.2.9 through 12.2.15 contains an easily exploitable SQL injection vulnerability in its Security component. A low-privileged attacker with network access can send crafted SQL queries to compromise the application, resulting in complete takeover with high impact to confidentiality, integrity, and availability. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack surface, low complexity, and no user interaction required.

Defensive priority

critical

Recommended defensive actions

• Apply Oracle Critical Patch Update for May 2026 immediately to affected Flow Manufacturing instances
• Restrict network access to Oracle E-Business Suite SQL interfaces to authorized administrative hosts only
• Audit database activity logs for anomalous SQL execution from low-privileged accounts
• Validate input sanitization on all SQL-accessible endpoints in Flow Manufacturing components
• Review and enforce principle of least privilege for database accounts used by Oracle E-Business Suite applications

Evidence notes

Oracle is identified as the affected vendor based on reference domain evidence from [email protected]. The vulnerability affects Oracle Flow Manufacturing within Oracle E-Business Suite. CVSS vector confirms network-accessible, low-complexity, low-privilege attack path leading to complete CIA compromise.

Official resources