Introduction
Oracle's Financials Common Modules, a shared component layer underpinning financial operations across Oracle E-Business Suite, now carries a high severity vulnerability that can cross security boundaries and expose critical financial data to any authenticated user with minimal privileges. This matters not just because of the CVSS 8.5 score, but because the Oracle EBS platform has been under sustained, documented attack by the Cl0p ransomware group and suspected FIN11 operators throughout 2025 and into 2026, with prior EBS zero days leading to breaches affecting millions of individuals.
CVE-2026-46820 was disclosed on May 28, 2026 as part of Oracle's inaugural monthly Critical Security Patch Update (CSPU), marking the company's shift from quarterly to monthly patch cadence. The vulnerability affects Oracle EBS versions 12.2.3 through 12.2.15, which spans approximately a decade of releases and covers all currently supported versions of the platform.
Technical Information
Vulnerability Characteristics
CVE-2026-46820 is located in the Common Components subcomponent of Oracle Financials Common Modules. According to the NVD description, it is "easily exploitable" and allows "a low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules." No CWE classification has been assigned, and no specific technical root cause (such as SQL injection, SSRF, or insecure direct object reference) has been publicly disclosed.
The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, which breaks down as follows:
| CVSS Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network; no physical or local access required |
| Attack Complexity (AC) | Low (L) | No specialized conditions needed; repeatable and reliable exploitation |
| Privileges Required (PR) | Low (L) | Any authenticated low privilege account suffices |
| User Interaction (UI) | None (N) | No victim interaction needed for exploitation |
| Scope (S) | Changed (C) | Impact crosses security boundaries to additional products |
| Confidentiality (C) | High (H) | Complete access to all Financials Common Modules data |
| Integrity (I) | Low (L) | Unauthorized insert, update, or delete of some accessible data |
| Availability (A) | None (N) | No direct impact on system availability |
Scope Change: Why It Matters
The scope change designation (S:C) is the most architecturally significant aspect of this vulnerability. In CVSS 3.1 terms, scope change means the vulnerable component and the impacted component are different. While the flaw resides in Oracle Financials Common Modules, the NVD advisory explicitly states that "attacks may significantly impact additional products." In practical terms, an attacker who compromises the Financials Common Modules may be able to leverage that foothold to affect other Oracle EBS products that share the same application tier infrastructure.
This is particularly relevant because Oracle Financials Common Modules serves as a shared component layer. The module provides common functionality including subledger accounting, payables and receivables processing, and intercompany settlement data that other EBS modules depend on.
Attack Surface
The attack requires HTTP network access and low privilege authentication. This means an attacker must possess at least a valid low privilege credential on the Oracle EBS instance. The attack surface includes:
- Internal corporate networks where EBS web tier components are accessible
- Internet facing EBS deployments (which are more common than many organizations realize)
- Any environment where low privilege credentials can be obtained through credential stuffing, phishing, or insider access
Impact Assessment
Successful exploitation produces two categories of impact:
-
Confidentiality (High): The NVD description specifies "unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data." This encompasses financial transactions, subledger accounting data, payables and receivables information, and intercompany settlement data.
-
Integrity (Low): "Unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data." While rated Low in CVSS terms, any unauthorized modification of financial data carries significant compliance and audit implications under frameworks like SOX, IFRS, and GAAP.
Contextual Attack Pattern Analysis
While the exact exploit mechanism for CVE-2026-46820 has not been publicly documented, prior Oracle EBS vulnerabilities have followed a consistent exploitation pattern worth understanding. Google Threat Intelligence Group documented that CVE-2025-61882 exploitation combined Server Side Request Forgery (SSRF), Carriage Return Line Feed (CRLF) injection, authentication bypass, and XSL template injection to achieve remote code execution. That attack chain targeted /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet, creating malicious templates in the XDO_TEMPLATES_B database table that were then triggered via Template Preview functionality.
The common thread across Oracle EBS vulnerabilities is the exploitation of the OA_HTML servlet infrastructure and the BI Publisher/XDO template framework as attack surfaces. Given that CVE-2026-46820 also involves an HTTP accessible component with scope change, it is plausible that the Common Components subcomponent exposes a similar attack surface, though this has not been confirmed in public sources.
Comparative Analysis
Understanding CVE-2026-46820 in the context of recent Oracle EBS vulnerabilities helps calibrate the risk:
| Dimension | CVE-2026-46820 | CVE-2025-61882 | CVE-2025-61884 |
|---|---|---|---|
| CVSS Score | 8.5 | 9.8 | 7.5 |
| Authentication Required | Low privilege | None (unauthenticated) | None (unauthenticated) |
| Affected Component | Financials Common Modules | Concurrent Processing / BI Publisher | Configurator Runtime UI |
| Scope Change | Yes | Not specified | Not specified |
| Confidentiality Impact | High | Critical | Moderate |
| Known Exploitation | Not confirmed | Yes (Cl0p/FIN11, CISA KEV) | Not independently confirmed |
The key divergence is the authentication requirement: CVE-2026-46820 requires low privilege credentials, whereas CVE-2025-61882 was exploitable without authentication. This narrows the immediate attack surface but does not eliminate the threat, as low privilege credentials are commonly obtainable. The scope change in CVE-2026-46820, absent in the other two CVEs, creates a unique risk dimension where the blast radius extends beyond the Financials Common Modules.
Affected Systems and Versions
The vulnerability affects the Oracle Financials Common Modules product of Oracle E-Business Suite, specifically the Common Components subcomponent.
Affected versions: Oracle E-Business Suite 12.2.3 through 12.2.15
This version range spans all currently supported releases of Oracle E-Business Suite. Any organization running a supported EBS version is affected.
Vendor Security History
Oracle E-Business Suite has experienced a pattern of significant security incidents in recent years:
| Incident | CVE | CVSS | Details |
|---|---|---|---|
| EBS Concurrent Processing RCE (Zero Day) | CVE-2025-61882 | 9.8 | Unauthenticated RCE via BI Publisher Integration; exploited as zero day from August 2025; added to CISA KEV catalog |
| EBS Configurator Data Exposure | CVE-2025-61884 | 7.5 | Unauthenticated data exposure in Configurator Runtime UI; patched October 2025 |
| Oracle Cloud Breach | CVE-2021-35587 | N/A | Threat actor "rose87168" exfiltrated 6M records affecting 140,000+ tenants via SSO/LDAP vulnerabilities |
| University of Phoenix Breach | CVE-2025-61882 | 9.8 | 3.5 million individuals affected; hackers exploited zero day vulnerabilities in Oracle EBS |
Oracle surpassed SAP as the No. 1 ERP applications provider in 2024, making the security posture of its EBS platform a matter of broad industry concern. The April 2026 CPU alone addressed 481 security vulnerabilities across Oracle's product portfolio. The transition to monthly CSPUs beginning May 2026 reflects Oracle's acknowledgment that the quarterly cadence was insufficient for the volume and severity of vulnerabilities being discovered.
The recurring pattern of EBS vulnerabilities with HTTP based attack vectors, low privilege requirements, and scope change is not anomalous; it reflects a systemic architectural characteristic of the platform. Threat actors have built repeatable tooling (the GOLDVEIN downloader, SAGE infection chain, XDO template injection techniques) specifically designed to exploit the Oracle EBS architecture.
Threat Landscape Context
As of May 29, 2026, no confirmed evidence of active exploitation of CVE-2026-46820 has been found in public sources. No proof of concept exploit code has been published. Given that the CVE was published only one day prior, this is expected.
However, the broader threat landscape warrants attention:
Cl0p Ransomware / Suspected FIN11 (UNC5936): Beginning September 29, 2025, threat actors claiming affiliation with the Cl0P extortion brand sent extortion emails to executives, alleging data theft from their Oracle EBS systems. These actors provided legitimate file listings from victim EBS environments with data dating back to mid August 2025 to substantiate their claims. The compromised accounts used to send these emails were sourced from infostealer malware logs.
FIN11 Linkage: Google Threat Intelligence Group identified logical similarities between the Cl0P EBS campaign and suspected FIN11 operations (UNC5936). The GOLDVEIN.JAVA downloader used in EBS attacks is reminiscent of the GOLDVEIN downloader and GOLDTOMB backdoor deployed by UNC5936 during the mass exploitation of the Cleo MFT vulnerability in late 2024.
Exploitation Timeline for CVE-2025-61882:
| Date | Event |
|---|---|
| July 2025 | Mandiant identifies suspicious activity targeting Oracle EBS servers |
| August 9, 2025 | Earliest confirmed exploitation of CVE-2025-61882 as zero day |
| October 3, 2025 | Exploit leaked in Telegram group |
| October 4, 2025 | Oracle releases emergency patch |
| September 29, 2025 onward | Cl0P extortion campaign targeting EBS victims |
The CVSS vector for CVE-2026-46820 aligns with the exploitation profile of prior successfully exploited EBS CVEs. The scope change characteristic increases the potential reward for attackers, as compromise of Financials Common Modules may enable lateral movement to additional EBS modules. Organizations should not wait for confirmed exploitation before prioritizing remediation.
Recommended Actions
Oracle has addressed CVE-2026-46820 in the Critical Security Patch Update for May 2026, released on May 28, 2026. This CSPU contains 12 new security patches for Oracle E-Business Suite. Organizations should:
- Download and apply the May 2026 CSPU from Oracle's security alerts page
- Run the EBS Java Critical Patch Update Checker (EJCPUC) on both the application tier and database tier before applying patches
- Restrict outbound internet access from EBS servers to reduce the risk of data exfiltration following a successful exploitation attempt
- Monitor network logs for indicators of compromise, particularly unusual HTTP requests targeting OA_HTML servlets and Financials Common Modules endpoints
- Hunt for malicious templates in the
XDO_TEMPLATES_BandXDO_LOBSdatabase tables, looking for entries withTemplateCodestarting withTMPorDEFandTemplateTypeset toXSL-TEXTorXMLthat were not created by authorized administrators - Minimize internet facing EBS exposure by placing web tier components behind reverse proxy or WAF protection
- Consider upgrading to Oracle AI DB 26ai or DB 19c to ensure continued security patch availability
For patching prioritization: internet facing systems should be patched within 72 hours. Internally facing systems should be patched within two weeks. The combination of easy exploitability, sensitive financial data, and the active threat actor ecosystem targeting Oracle EBS justifies aggressive timelines.
References
- NVD: CVE-2026-46820
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Critical Patch Updates and Security Alerts
- Google Threat Intelligence: Oracle E-Business Suite Zero-Day Exploited in Widespread Attacks
- HIPAA Journal: Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite
- Oracle Financials Common Modules Documentation
- April 2026 Updates to EBS Java Critical Patch Update Checker (EJCPUC)
- BitSight: CVE-2025-61882 in Oracle E-Business Suite
- Zeropath: Oracle E-Business Suite CVE-2025-61884 Summary
- Qualys: Oracle Critical Patch Update, April 2026 Security Update Review
- Cybersecurity Dive: Oracle E-Business Suite Exploitation Traced Back to July
- Oracle EBSTech: Reminder to Upgrade to Oracle AI DB 26ai or DB 19c
- Apps Run the World: Oracle Surpasses SAP as No. 1 ERP Apps Provider



