ZeroPath at Black Hat USA 2026

Overview of CVE-2026-46820: Oracle E-Business Suite Financials Common Modules Scope Change Vulnerability

A brief summary of CVE-2026-46820, a high severity vulnerability in Oracle Financials Common Modules (CVSS 8.5) that enables low privileged attackers to access critical financial data and impact additional products through scope change, in the context of sustained threat actor targeting of the Oracle EBS platform.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Overview of CVE-2026-46820: Oracle E-Business Suite Financials Common Modules Scope Change Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle's Financials Common Modules, a shared component layer underpinning financial operations across Oracle E-Business Suite, now carries a high severity vulnerability that can cross security boundaries and expose critical financial data to any authenticated user with minimal privileges. This matters not just because of the CVSS 8.5 score, but because the Oracle EBS platform has been under sustained, documented attack by the Cl0p ransomware group and suspected FIN11 operators throughout 2025 and into 2026, with prior EBS zero days leading to breaches affecting millions of individuals.

CVE-2026-46820 was disclosed on May 28, 2026 as part of Oracle's inaugural monthly Critical Security Patch Update (CSPU), marking the company's shift from quarterly to monthly patch cadence. The vulnerability affects Oracle EBS versions 12.2.3 through 12.2.15, which spans approximately a decade of releases and covers all currently supported versions of the platform.

Technical Information

Vulnerability Characteristics

CVE-2026-46820 is located in the Common Components subcomponent of Oracle Financials Common Modules. According to the NVD description, it is "easily exploitable" and allows "a low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules." No CWE classification has been assigned, and no specific technical root cause (such as SQL injection, SSRF, or insecure direct object reference) has been publicly disclosed.

The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, which breaks down as follows:

CVSS MetricValueSignificance
Attack Vector (AV)Network (N)Exploitable remotely over the network; no physical or local access required
Attack Complexity (AC)Low (L)No specialized conditions needed; repeatable and reliable exploitation
Privileges Required (PR)Low (L)Any authenticated low privilege account suffices
User Interaction (UI)None (N)No victim interaction needed for exploitation
Scope (S)Changed (C)Impact crosses security boundaries to additional products
Confidentiality (C)High (H)Complete access to all Financials Common Modules data
Integrity (I)Low (L)Unauthorized insert, update, or delete of some accessible data
Availability (A)None (N)No direct impact on system availability

Scope Change: Why It Matters

The scope change designation (S:C) is the most architecturally significant aspect of this vulnerability. In CVSS 3.1 terms, scope change means the vulnerable component and the impacted component are different. While the flaw resides in Oracle Financials Common Modules, the NVD advisory explicitly states that "attacks may significantly impact additional products." In practical terms, an attacker who compromises the Financials Common Modules may be able to leverage that foothold to affect other Oracle EBS products that share the same application tier infrastructure.

This is particularly relevant because Oracle Financials Common Modules serves as a shared component layer. The module provides common functionality including subledger accounting, payables and receivables processing, and intercompany settlement data that other EBS modules depend on.

Attack Surface

The attack requires HTTP network access and low privilege authentication. This means an attacker must possess at least a valid low privilege credential on the Oracle EBS instance. The attack surface includes:

  • Internal corporate networks where EBS web tier components are accessible
  • Internet facing EBS deployments (which are more common than many organizations realize)
  • Any environment where low privilege credentials can be obtained through credential stuffing, phishing, or insider access

Impact Assessment

Successful exploitation produces two categories of impact:

  1. Confidentiality (High): The NVD description specifies "unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data." This encompasses financial transactions, subledger accounting data, payables and receivables information, and intercompany settlement data.

  2. Integrity (Low): "Unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data." While rated Low in CVSS terms, any unauthorized modification of financial data carries significant compliance and audit implications under frameworks like SOX, IFRS, and GAAP.

Contextual Attack Pattern Analysis

While the exact exploit mechanism for CVE-2026-46820 has not been publicly documented, prior Oracle EBS vulnerabilities have followed a consistent exploitation pattern worth understanding. Google Threat Intelligence Group documented that CVE-2025-61882 exploitation combined Server Side Request Forgery (SSRF), Carriage Return Line Feed (CRLF) injection, authentication bypass, and XSL template injection to achieve remote code execution. That attack chain targeted /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet, creating malicious templates in the XDO_TEMPLATES_B database table that were then triggered via Template Preview functionality.

The common thread across Oracle EBS vulnerabilities is the exploitation of the OA_HTML servlet infrastructure and the BI Publisher/XDO template framework as attack surfaces. Given that CVE-2026-46820 also involves an HTTP accessible component with scope change, it is plausible that the Common Components subcomponent exposes a similar attack surface, though this has not been confirmed in public sources.

Comparative Analysis

Understanding CVE-2026-46820 in the context of recent Oracle EBS vulnerabilities helps calibrate the risk:

DimensionCVE-2026-46820CVE-2025-61882CVE-2025-61884
CVSS Score8.59.87.5
Authentication RequiredLow privilegeNone (unauthenticated)None (unauthenticated)
Affected ComponentFinancials Common ModulesConcurrent Processing / BI PublisherConfigurator Runtime UI
Scope ChangeYesNot specifiedNot specified
Confidentiality ImpactHighCriticalModerate
Known ExploitationNot confirmedYes (Cl0p/FIN11, CISA KEV)Not independently confirmed

The key divergence is the authentication requirement: CVE-2026-46820 requires low privilege credentials, whereas CVE-2025-61882 was exploitable without authentication. This narrows the immediate attack surface but does not eliminate the threat, as low privilege credentials are commonly obtainable. The scope change in CVE-2026-46820, absent in the other two CVEs, creates a unique risk dimension where the blast radius extends beyond the Financials Common Modules.

Affected Systems and Versions

The vulnerability affects the Oracle Financials Common Modules product of Oracle E-Business Suite, specifically the Common Components subcomponent.

Affected versions: Oracle E-Business Suite 12.2.3 through 12.2.15

This version range spans all currently supported releases of Oracle E-Business Suite. Any organization running a supported EBS version is affected.

Vendor Security History

Oracle E-Business Suite has experienced a pattern of significant security incidents in recent years:

IncidentCVECVSSDetails
EBS Concurrent Processing RCE (Zero Day)CVE-2025-618829.8Unauthenticated RCE via BI Publisher Integration; exploited as zero day from August 2025; added to CISA KEV catalog
EBS Configurator Data ExposureCVE-2025-618847.5Unauthenticated data exposure in Configurator Runtime UI; patched October 2025
Oracle Cloud BreachCVE-2021-35587N/AThreat actor "rose87168" exfiltrated 6M records affecting 140,000+ tenants via SSO/LDAP vulnerabilities
University of Phoenix BreachCVE-2025-618829.83.5 million individuals affected; hackers exploited zero day vulnerabilities in Oracle EBS

Oracle surpassed SAP as the No. 1 ERP applications provider in 2024, making the security posture of its EBS platform a matter of broad industry concern. The April 2026 CPU alone addressed 481 security vulnerabilities across Oracle's product portfolio. The transition to monthly CSPUs beginning May 2026 reflects Oracle's acknowledgment that the quarterly cadence was insufficient for the volume and severity of vulnerabilities being discovered.

The recurring pattern of EBS vulnerabilities with HTTP based attack vectors, low privilege requirements, and scope change is not anomalous; it reflects a systemic architectural characteristic of the platform. Threat actors have built repeatable tooling (the GOLDVEIN downloader, SAGE infection chain, XDO template injection techniques) specifically designed to exploit the Oracle EBS architecture.

Threat Landscape Context

As of May 29, 2026, no confirmed evidence of active exploitation of CVE-2026-46820 has been found in public sources. No proof of concept exploit code has been published. Given that the CVE was published only one day prior, this is expected.

However, the broader threat landscape warrants attention:

Cl0p Ransomware / Suspected FIN11 (UNC5936): Beginning September 29, 2025, threat actors claiming affiliation with the Cl0P extortion brand sent extortion emails to executives, alleging data theft from their Oracle EBS systems. These actors provided legitimate file listings from victim EBS environments with data dating back to mid August 2025 to substantiate their claims. The compromised accounts used to send these emails were sourced from infostealer malware logs.

FIN11 Linkage: Google Threat Intelligence Group identified logical similarities between the Cl0P EBS campaign and suspected FIN11 operations (UNC5936). The GOLDVEIN.JAVA downloader used in EBS attacks is reminiscent of the GOLDVEIN downloader and GOLDTOMB backdoor deployed by UNC5936 during the mass exploitation of the Cleo MFT vulnerability in late 2024.

Exploitation Timeline for CVE-2025-61882:

DateEvent
July 2025Mandiant identifies suspicious activity targeting Oracle EBS servers
August 9, 2025Earliest confirmed exploitation of CVE-2025-61882 as zero day
October 3, 2025Exploit leaked in Telegram group
October 4, 2025Oracle releases emergency patch
September 29, 2025 onwardCl0P extortion campaign targeting EBS victims

The CVSS vector for CVE-2026-46820 aligns with the exploitation profile of prior successfully exploited EBS CVEs. The scope change characteristic increases the potential reward for attackers, as compromise of Financials Common Modules may enable lateral movement to additional EBS modules. Organizations should not wait for confirmed exploitation before prioritizing remediation.

Oracle has addressed CVE-2026-46820 in the Critical Security Patch Update for May 2026, released on May 28, 2026. This CSPU contains 12 new security patches for Oracle E-Business Suite. Organizations should:

  • Download and apply the May 2026 CSPU from Oracle's security alerts page
  • Run the EBS Java Critical Patch Update Checker (EJCPUC) on both the application tier and database tier before applying patches
  • Restrict outbound internet access from EBS servers to reduce the risk of data exfiltration following a successful exploitation attempt
  • Monitor network logs for indicators of compromise, particularly unusual HTTP requests targeting OA_HTML servlets and Financials Common Modules endpoints
  • Hunt for malicious templates in the XDO_TEMPLATES_B and XDO_LOBS database tables, looking for entries with TemplateCode starting with TMP or DEF and TemplateType set to XSL-TEXT or XML that were not created by authorized administrators
  • Minimize internet facing EBS exposure by placing web tier components behind reverse proxy or WAF protection
  • Consider upgrading to Oracle AI DB 26ai or DB 19c to ensure continued security patch availability

For patching prioritization: internet facing systems should be patched within 72 hours. Internally facing systems should be patched within two weeks. The combination of easy exploitability, sensitive financial data, and the active threat actor ecosystem targeting Oracle EBS justifies aggressive timelines.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization