ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-46819 — Unauthenticated Data Access in Oracle E-Business Suite Internet Procurement Connector

A short review of CVE-2026-46819, a CVSS 9.1 unauthenticated vulnerability in Oracle E-Business Suite's Internet Procurement Connector that enables unauthorized access to and manipulation of critical procurement data over HTTP. Patch information from Oracle's inaugural monthly CSPU is included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Brief Summary: CVE-2026-46819 — Unauthenticated Data Access in Oracle E-Business Suite Internet Procurement Connector
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle's inaugural monthly Critical Security Patch Update for May 2026 includes a fix for a CVSS 9.1 vulnerability in the Internet Procurement Connector that allows an unauthenticated attacker to read and manipulate critical procurement data over HTTP. Given that the GRACEFUL SPIDER threat group (operating as Cl0p) already demonstrated mass exploitation of a structurally similar Oracle EBS flaw last year, this vulnerability enters a threat landscape where the playbook for attacking EBS procurement infrastructure already exists.

Oracle Internet Procurement Connector is part of the Oracle Procurement suite within E-Business Suite, enabling organizations to manage procurement workflows including requisition processing, purchase order management, and supplier interactions. The Internal Operations component, which is the specific target of this vulnerability, handles back end processing logic for procurement data flows, making it a high value target because it processes sensitive financial and supplier data.

Technical Information

Vulnerability Profile

CVE-2026-46819 affects the Internal Operations component of the Oracle Internet Procurement Connector product within Oracle E-Business Suite, covering versions 12.2.3 through 12.2.15. This version range spans the entire set of currently supported EBS 12.2 releases, meaning no supported EBS 12.2 deployment is exempt.

The CVSS 3.1 Base Score of 9.1 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N breaks down as follows:

CVSS MetricValueSignificance
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)LowMinimal technical skill required to exploit
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo user action required
Scope (S)UnchangedImpact limited to the vulnerable component
Confidentiality (C)HighComplete access to all IPC accessible data
Integrity (I)HighUnauthorized creation, deletion, or modification of critical data
Availability (A)NoneNo direct availability impact

The attack protocol is HTTP, meaning exploitation occurs through standard web requests to the Oracle E-Business Suite application tier. Oracle's advisory describes the vulnerability as "easily exploitable," which in CVSS terms corresponds to the low attack complexity rating.

Impact Analysis

The C:H/I:H/A:N impact profile is notable because it distinguishes this vulnerability from the previously exploited CVE-2025-61882 (which carried A:H and enabled remote code execution). The absence of availability impact suggests that CVE-2026-46819 enables direct data access and tampering through the application layer rather than arbitrary code execution. Successful exploitation results in:

  • Unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data
  • Unauthorized creation, deletion, or modification of critical data

In practical terms, this means an attacker could read, alter, or delete procurement records, supplier information, purchase orders, and related financial data. Procurement data manipulation could cascade into supply chain fraud, financial misstatement, or regulatory non compliance.

Attack Surface Comparison with CVE-2025-61882

While no public proof of concept or detailed technical mechanism has been published for CVE-2026-46819, the exploitation pattern is strongly analogous to CVE-2025-61882. Both vulnerabilities share the same attack prerequisites: unauthenticated, network accessible, HTTP based, low complexity, no user interaction required.

The CVE-2025-61882 attack chain, as documented by CrowdStrike, involved three stages:

  1. An HTTP POST request to /OA_HTML/SyncServlet to bypass authentication
  2. Upload of a malicious XSLT template via requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to achieve code execution
  3. Deployment of web shells (using FileUtils.java and Log4jConfigQpgsubFilter.java) for persistence, with outbound connections established over port 443

CVE-2026-46819 targets a different component (Internal Operations rather than Concurrent Processing) and results in data manipulation rather than code execution. However, the shared HTTP vector and unauthenticated nature suggest a similar class of EBS application tier vulnerability, likely involving insufficient access controls on procurement related servlet endpoints.

Information Gaps

Several technical details remain unavailable as of May 29, 2026:

  • CWE classification: No CWE IDs have been assigned by NVD
  • Specific exploitation steps: The exact HTTP request pattern, vulnerable endpoint, or code level flaw within the Internal Operations component has not been publicly documented
  • CVSS 4.0 score: NIST has not yet provided a CVSS 4.0 assessment
  • Public exploit code: No proof of concept has been identified

The NVD record has a status of "Received," indicating very recent publication and incomplete enrichment.

Patch Information

Oracle addressed CVE-2026-46819 as part of its inaugural Critical Security Patch Update (CSPU) for May 2026, released on May 28, 2026. This is a significant milestone: it marks the very first release under Oracle's new monthly CSPU cadence, a program that supplements the traditional quarterly Critical Patch Updates with smaller, more focused security releases on a monthly schedule.

The fix for CVE-2026-46819 is one of 12 security patches for Oracle E-Business Suite included in this CSPU. It specifically targets the Internal Operations component of the Oracle Internet Procurement Connector product, covering versions 12.2.3 through 12.2.15. According to the risk matrix published in Oracle's verbose advisory, the vulnerability entry for CVE-2026-46819 does not mention that the patch bundles fixes for any other CVEs, meaning this is a standalone, targeted fix for this specific flaw. This is in contrast to several other CVEs in the same CSPU (e.g., CVE-2026-34059 or CVE-2025-15467) where Oracle explicitly notes the patch also addresses multiple companion CVEs.

Because Oracle E-Business Suite is proprietary, closed source software, no public source code diffs or commit level details are available. Customers with active Oracle support contracts can obtain the patch through My Oracle Support (MOS) by referencing the May 2026 CSPU advisory. Oracle's patch availability document for E-Business Suite Release 12 (typically available via MOS Note KA923) specifies the exact patch numbers and application steps for each affected EBS module.

An important deployment context: the CSPU model is specifically designed for customer managed (on premises or customer managed OCI) environments. Oracle managed cloud services receive these security updates automatically and continuously. For customer managed deployments, applying this patch should be treated with urgency given the CVSS 9.1 score and unauthenticated HTTP attack vector.

Oracle's advisory also emphasizes that E-Business Suite products include Oracle Database and Oracle Fusion Middleware components, and customers must apply the May 2026 CSPU to those underlying components as well. Partial patching of only the EBS application layer without patching the database and middleware tiers may leave residual exposure.

For organizations adapting to the new monthly cadence, Oracle provides the EBS Java Critical Patch Update Checker (EJCPUC) tool, updated in April 2026, to help administrators identify missing patches across their EBS environments. Oracle also recommends upgrading to EBS Release 12.2 and modernizing database infrastructure to Oracle AI DB 26ai or DB 19c to ensure continued eligibility for security fixes.

Affected Systems and Versions

  • Product: Oracle Internet Procurement Connector
  • Suite: Oracle E-Business Suite
  • Component: Internal Operations
  • Affected Versions: 12.2.3 through 12.2.15 (all currently supported EBS 12.2 releases)
  • Protocol: HTTP
  • Authentication Required: None

Product releases not under Premier Support or Extended Support are not tested for vulnerabilities by Oracle, so older unsupported versions may also be affected but will not receive patches.

Vendor Security History

Oracle E-Business Suite has a persistent pattern of critical, remotely exploitable vulnerabilities. The following table summarizes recent high severity EBS CVEs:

CVE IDProduct/ComponentCVSSExploitation StatusDate
CVE-2025-61882EBS Concurrent Processing9.8Actively exploited as zero day by GRACEFUL SPIDEROct 2025
CVE-2026-46819Internet Procurement Connector (Internal Operations)9.1Not confirmedMay 2026
CVE-2026-46822Oracle iAssets9.9Not confirmedMay 2026
CVE-2026-46824Oracle Universal Work Queue9.9Not confirmedMay 2026
CVE-2026-46817Oracle Payments File Transmission9.8Not confirmedMay 2026

The October 2025 CPU contained 9 new security patches for Oracle E-Business Suite, 6 of which were remotely exploitable without authentication. The May 2026 CSPU contains 12 new EBS patches, 3 remotely exploitable without authentication. This pattern demonstrates a persistent and significant attack surface within EBS.

The CVE-2025-61882 campaign is particularly instructive. CrowdStrike assessed with moderate confidence that GRACEFUL SPIDER was involved in mass exploitation of that vulnerability. The threat actor, operating under the "CLOP team" moniker, used known email addresses (support[@]pubstorm[.]com and support[@]pubstorm[.]net) to send extortion emails to victims on September 29, 2025, claiming to have accessed and exfiltrated data from their Oracle EBS applications. Exploitation had begun nearly two months earlier on August 9, 2025, well before Oracle's public disclosure on October 4, 2025. A Telegram channel post on October 3, 2025 insinuated collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters, and contained a purported exploit for the vulnerability. Google Cloud/Mandiant separately confirmed Cl0p ransomware gang involvement in a large scale extortion campaign.

Oracle's own advisory acknowledges the problem directly: the organization "continues to receive reports of attempted malicious exploitation of vulnerabilities for which patches have already been released" and notes that "attackers have been successful because targeted customers failed to apply available patches."

The transition from quarterly CPUs to monthly CSPUs, effective May 2026, was driven in part by AI accelerated vulnerability discovery and the operational lessons of the CVE-2025-61882 zero day campaign. Oracle stated that AI "has significantly accelerated the pace at which software vulnerabilities are discovered, increasing the urgency for rapid response and remediation."

Threat Assessment for CVE-2026-46819

As of May 29, 2026, CVE-2026-46819 is not listed in the CISA Known Exploited Vulnerabilities catalog and no confirmed exploitation has been observed. However, several factors indicate elevated risk:

  1. Precedent: GRACEFUL SPIDER has already demonstrated capability and intent to exploit unauthenticated HTTP based Oracle EBS vulnerabilities using a mass scan and exploit model
  2. Attack surface similarity: CVE-2026-46819 shares the same unauthenticated HTTP attack vector and EBS application tier target as CVE-2025-61882
  3. Rapid exploitation window: The CVE-2025-61882 timeline shows that exploitation can begin months before public disclosure, and the gap between disclosure and public PoC availability was only one day
  4. Patch gap risk: Oracle has acknowledged that attackers succeed because customers fail to apply available patches

Organizations should not wait for a CISA KEV listing or confirmed exploitation reports before acting on this patch.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization