Introduction
Oracle's inaugural monthly Critical Security Patch Update for May 2026 includes a fix for a CVSS 9.1 vulnerability in the Internet Procurement Connector that allows an unauthenticated attacker to read and manipulate critical procurement data over HTTP. Given that the GRACEFUL SPIDER threat group (operating as Cl0p) already demonstrated mass exploitation of a structurally similar Oracle EBS flaw last year, this vulnerability enters a threat landscape where the playbook for attacking EBS procurement infrastructure already exists.
Oracle Internet Procurement Connector is part of the Oracle Procurement suite within E-Business Suite, enabling organizations to manage procurement workflows including requisition processing, purchase order management, and supplier interactions. The Internal Operations component, which is the specific target of this vulnerability, handles back end processing logic for procurement data flows, making it a high value target because it processes sensitive financial and supplier data.
Technical Information
Vulnerability Profile
CVE-2026-46819 affects the Internal Operations component of the Oracle Internet Procurement Connector product within Oracle E-Business Suite, covering versions 12.2.3 through 12.2.15. This version range spans the entire set of currently supported EBS 12.2 releases, meaning no supported EBS 12.2 deployment is exempt.
The CVSS 3.1 Base Score of 9.1 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N breaks down as follows:
| CVSS Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | Minimal technical skill required to exploit |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No user action required |
| Scope (S) | Unchanged | Impact limited to the vulnerable component |
| Confidentiality (C) | High | Complete access to all IPC accessible data |
| Integrity (I) | High | Unauthorized creation, deletion, or modification of critical data |
| Availability (A) | None | No direct availability impact |
The attack protocol is HTTP, meaning exploitation occurs through standard web requests to the Oracle E-Business Suite application tier. Oracle's advisory describes the vulnerability as "easily exploitable," which in CVSS terms corresponds to the low attack complexity rating.
Impact Analysis
The C:H/I:H/A:N impact profile is notable because it distinguishes this vulnerability from the previously exploited CVE-2025-61882 (which carried A:H and enabled remote code execution). The absence of availability impact suggests that CVE-2026-46819 enables direct data access and tampering through the application layer rather than arbitrary code execution. Successful exploitation results in:
- Unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data
- Unauthorized creation, deletion, or modification of critical data
In practical terms, this means an attacker could read, alter, or delete procurement records, supplier information, purchase orders, and related financial data. Procurement data manipulation could cascade into supply chain fraud, financial misstatement, or regulatory non compliance.
Attack Surface Comparison with CVE-2025-61882
While no public proof of concept or detailed technical mechanism has been published for CVE-2026-46819, the exploitation pattern is strongly analogous to CVE-2025-61882. Both vulnerabilities share the same attack prerequisites: unauthenticated, network accessible, HTTP based, low complexity, no user interaction required.
The CVE-2025-61882 attack chain, as documented by CrowdStrike, involved three stages:
- An HTTP POST request to
/OA_HTML/SyncServletto bypass authentication - Upload of a malicious XSLT template via requests to
/OA_HTML/RF.jspand/OA_HTML/OA.jspto achieve code execution - Deployment of web shells (using
FileUtils.javaandLog4jConfigQpgsubFilter.java) for persistence, with outbound connections established over port 443
CVE-2026-46819 targets a different component (Internal Operations rather than Concurrent Processing) and results in data manipulation rather than code execution. However, the shared HTTP vector and unauthenticated nature suggest a similar class of EBS application tier vulnerability, likely involving insufficient access controls on procurement related servlet endpoints.
Information Gaps
Several technical details remain unavailable as of May 29, 2026:
- CWE classification: No CWE IDs have been assigned by NVD
- Specific exploitation steps: The exact HTTP request pattern, vulnerable endpoint, or code level flaw within the Internal Operations component has not been publicly documented
- CVSS 4.0 score: NIST has not yet provided a CVSS 4.0 assessment
- Public exploit code: No proof of concept has been identified
The NVD record has a status of "Received," indicating very recent publication and incomplete enrichment.
Patch Information
Oracle addressed CVE-2026-46819 as part of its inaugural Critical Security Patch Update (CSPU) for May 2026, released on May 28, 2026. This is a significant milestone: it marks the very first release under Oracle's new monthly CSPU cadence, a program that supplements the traditional quarterly Critical Patch Updates with smaller, more focused security releases on a monthly schedule.
The fix for CVE-2026-46819 is one of 12 security patches for Oracle E-Business Suite included in this CSPU. It specifically targets the Internal Operations component of the Oracle Internet Procurement Connector product, covering versions 12.2.3 through 12.2.15. According to the risk matrix published in Oracle's verbose advisory, the vulnerability entry for CVE-2026-46819 does not mention that the patch bundles fixes for any other CVEs, meaning this is a standalone, targeted fix for this specific flaw. This is in contrast to several other CVEs in the same CSPU (e.g., CVE-2026-34059 or CVE-2025-15467) where Oracle explicitly notes the patch also addresses multiple companion CVEs.
Because Oracle E-Business Suite is proprietary, closed source software, no public source code diffs or commit level details are available. Customers with active Oracle support contracts can obtain the patch through My Oracle Support (MOS) by referencing the May 2026 CSPU advisory. Oracle's patch availability document for E-Business Suite Release 12 (typically available via MOS Note KA923) specifies the exact patch numbers and application steps for each affected EBS module.
An important deployment context: the CSPU model is specifically designed for customer managed (on premises or customer managed OCI) environments. Oracle managed cloud services receive these security updates automatically and continuously. For customer managed deployments, applying this patch should be treated with urgency given the CVSS 9.1 score and unauthenticated HTTP attack vector.
Oracle's advisory also emphasizes that E-Business Suite products include Oracle Database and Oracle Fusion Middleware components, and customers must apply the May 2026 CSPU to those underlying components as well. Partial patching of only the EBS application layer without patching the database and middleware tiers may leave residual exposure.
For organizations adapting to the new monthly cadence, Oracle provides the EBS Java Critical Patch Update Checker (EJCPUC) tool, updated in April 2026, to help administrators identify missing patches across their EBS environments. Oracle also recommends upgrading to EBS Release 12.2 and modernizing database infrastructure to Oracle AI DB 26ai or DB 19c to ensure continued eligibility for security fixes.
Affected Systems and Versions
- Product: Oracle Internet Procurement Connector
- Suite: Oracle E-Business Suite
- Component: Internal Operations
- Affected Versions: 12.2.3 through 12.2.15 (all currently supported EBS 12.2 releases)
- Protocol: HTTP
- Authentication Required: None
Product releases not under Premier Support or Extended Support are not tested for vulnerabilities by Oracle, so older unsupported versions may also be affected but will not receive patches.
Vendor Security History
Oracle E-Business Suite has a persistent pattern of critical, remotely exploitable vulnerabilities. The following table summarizes recent high severity EBS CVEs:
| CVE ID | Product/Component | CVSS | Exploitation Status | Date |
|---|---|---|---|---|
| CVE-2025-61882 | EBS Concurrent Processing | 9.8 | Actively exploited as zero day by GRACEFUL SPIDER | Oct 2025 |
| CVE-2026-46819 | Internet Procurement Connector (Internal Operations) | 9.1 | Not confirmed | May 2026 |
| CVE-2026-46822 | Oracle iAssets | 9.9 | Not confirmed | May 2026 |
| CVE-2026-46824 | Oracle Universal Work Queue | 9.9 | Not confirmed | May 2026 |
| CVE-2026-46817 | Oracle Payments File Transmission | 9.8 | Not confirmed | May 2026 |
The October 2025 CPU contained 9 new security patches for Oracle E-Business Suite, 6 of which were remotely exploitable without authentication. The May 2026 CSPU contains 12 new EBS patches, 3 remotely exploitable without authentication. This pattern demonstrates a persistent and significant attack surface within EBS.
The CVE-2025-61882 campaign is particularly instructive. CrowdStrike assessed with moderate confidence that GRACEFUL SPIDER was involved in mass exploitation of that vulnerability. The threat actor, operating under the "CLOP team" moniker, used known email addresses (support[@]pubstorm[.]com and support[@]pubstorm[.]net) to send extortion emails to victims on September 29, 2025, claiming to have accessed and exfiltrated data from their Oracle EBS applications. Exploitation had begun nearly two months earlier on August 9, 2025, well before Oracle's public disclosure on October 4, 2025. A Telegram channel post on October 3, 2025 insinuated collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters, and contained a purported exploit for the vulnerability. Google Cloud/Mandiant separately confirmed Cl0p ransomware gang involvement in a large scale extortion campaign.
Oracle's own advisory acknowledges the problem directly: the organization "continues to receive reports of attempted malicious exploitation of vulnerabilities for which patches have already been released" and notes that "attackers have been successful because targeted customers failed to apply available patches."
The transition from quarterly CPUs to monthly CSPUs, effective May 2026, was driven in part by AI accelerated vulnerability discovery and the operational lessons of the CVE-2025-61882 zero day campaign. Oracle stated that AI "has significantly accelerated the pace at which software vulnerabilities are discovered, increasing the urgency for rapid response and remediation."
Threat Assessment for CVE-2026-46819
As of May 29, 2026, CVE-2026-46819 is not listed in the CISA Known Exploited Vulnerabilities catalog and no confirmed exploitation has been observed. However, several factors indicate elevated risk:
- Precedent: GRACEFUL SPIDER has already demonstrated capability and intent to exploit unauthenticated HTTP based Oracle EBS vulnerabilities using a mass scan and exploit model
- Attack surface similarity: CVE-2026-46819 shares the same unauthenticated HTTP attack vector and EBS application tier target as CVE-2025-61882
- Rapid exploitation window: The CVE-2025-61882 timeline shows that exploitation can begin months before public disclosure, and the gap between disclosure and public PoC availability was only one day
- Patch gap risk: Oracle has acknowledged that attackers succeed because customers fail to apply available patches
Organizations should not wait for a CISA KEV listing or confirmed exploitation reports before acting on this patch.
References
- NVD: CVE-2026-46819
- Oracle Security Critical Patch Update Advisory: May 2026
- Oracle Security Critical Patch Update Advisory: May 2026 (Verbose)
- CrowdStrike: Campaign Targeting Oracle E-Business Suite Zero-Day CVE-2025-61882
- Oracle: Monthly Critical Security Patch Updates Announcement
- Oracle Critical Patch Update Advisory: October 2025
- Rapid7: Critical 0day in Oracle E-Business Suite Exploited in the Wild
- Google Cloud/Mandiant: Oracle E-Business Suite Zero-Day Exploitation
- CISA Known Exploited Vulnerabilities Catalog
- CISA: Adds Three Known Exploited Vulnerabilities to Catalog (May 27, 2026)
- Oracle: April 2026 Updates to EBS Java Critical Patch Update Checker
- Oracle iProcurement Overview
- Oracle E-Business Suite Applications
- Oracle: Reminder to Upgrade to Oracle AI DB 26ai or DB 19c
- CSA Singapore: Critical Vulnerability in Oracle Products



