Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-46817

Oracle E-Business Suite Payments improper privilege management (unauth RCE)

A critical improper-privilege-management flaw in the Oracle Payments component of Oracle E-Business Suite (File Transmission) that lets an unauthenticated network attacker take over Oracle Payments. Patched in Oracle's May 2026 Critical Patch Update; added to CISA KEV on July 15, 2026.

cat cve-2026-46817.json
Vendor
Oracle
Product
E-Business Suite — Oracle Payments (versions 12.2.3–12.2.15)
CVSS
9.8
EPSS (exploit probability)
N/A
Status
kev
Published

CVE-2026-46817 is an improper-privilege-management vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission), affecting versions 12.2.3 through 12.2.15. An unauthenticated attacker with network access via HTTP can compromise Oracle Payments — CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Oracle patched the flaw in its May 2026 Critical Patch Update. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-07-15, starting a federal-civilian remediation clock under BOD 26-04.

Why it matters

Oracle E-Business Suite is the ERP backbone at a large share of Fortune 500 and government-adjacent organizations. The Payments module handles payment-instrument data and payment-file transmission, so a full compromise of that module is not “an internal-application bug” — it is compromise of the system that moves money and holds the credentials and tokens that authenticate to payment processors.

Unauthenticated over HTTP means there is no credential requirement, no user interaction, and no privilege prerequisite. Any Internet-exposed EBS Payments endpoint is directly reachable by an attacker with the exploit; internally exposed endpoints are reachable by any actor who has already reached the corporate network.

What to do

Apply Oracle’s May 2026 Critical Patch Update to the affected Oracle Payments version if you haven’t already — the fix has been available for roughly seven weeks. Confirm the running EBS build number against the cspumay2026 advisory rather than trusting patch-management-tool reports alone. NVD’s canonical record is here.

If your EBS Payments interface has been Internet-exposed and unpatched, treat this as a possible-compromise scenario rather than a routine patch. Review Payments transmission logs for anomalous file transfers, review Oracle Payments account activity for unfamiliar service or admin accounts, and rotate credentials the Payments module holds for downstream payment-processor integrations.