ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-46821 — Oracle EBS Financials Common Modules Confidentiality Breach with Scope Change

A brief summary of CVE-2026-46821, a high severity confidentiality vulnerability in Oracle E-Business Suite Financials Common Modules (versions 12.2.3 through 12.2.15) that allows low privileged attackers to access critical data across multiple EBS products. Includes patch information from Oracle's inaugural monthly CSPU release.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Quick Look: CVE-2026-46821 — Oracle EBS Financials Common Modules Confidentiality Breach with Scope Change
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle's inaugural monthly Critical Security Patch Update, released May 28, 2026, includes a fix for a high severity confidentiality vulnerability in Oracle E-Business Suite that allows a low privileged attacker to read critical financial data across multiple EBS products from a single entry point. CVE-2026-46821 sits in the Common Components layer of Oracle Financials Common Modules, a shared infrastructure component that underpins intercompany transactions, payables netting, receivables netting, and other cross-cutting financial operations, and the scope change designation in its CVSS vector means the blast radius extends well beyond the immediately vulnerable module.

This is particularly notable given the recent history of Oracle EBS exploitation. The CVE-2025-61882 ransomware campaigns demonstrated that threat actors, including Cl0p and associated groups, have both the capability and the motivation to target EBS deployments. While CVE-2026-46821 is a different class of vulnerability (confidentiality only, requiring authentication), the established attacker ecosystem around EBS makes prompt attention warranted.

Technical Information

Vulnerability Overview

CVE-2026-46821 affects the Common Components sub-component within Oracle Financials Common Modules, part of Oracle E-Business Suite. The Oracle Financials Common Modules product provides shared financial infrastructure across EBS, covering the Advanced Global Intercompany System, Payables and Receivables Netting, and other cross-cutting financial functions. The Common Components layer likely serves as a foundational shared service across multiple financial modules, which is precisely why the vulnerability carries a scope change designation.

The vulnerability was published to the National Vulnerability Database on May 28, 2026, sourced from Oracle's security alert team.

CVSS 3.1 Vector Breakdown

The complete CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, yielding a Base Score of 7.7. Here is how each metric contributes:

CVSS MetricValueSignificance
Attack Vector (AV)Network (N)Exploitable remotely over the network
Attack Complexity (AC)Low (L)No specialized conditions required
Privileges Required (PR)Low (L)Attacker needs only a low privileged account
User Interaction (UI)None (N)No victim action needed
Scope (S)Changed (C)Impact crosses security boundary to other products
Confidentiality (C)High (H)Complete access to all accessible data
Integrity (I)None (N)No data modification
Availability (A)None (N)No denial of service

The Base Score of 7.7 is driven primarily by the combination of High confidentiality impact with a Changed scope. Without the scope change, a similar vulnerability would score lower. The low privilege requirement is a meaningful distinction from CVE-2025-61882, which required no authentication at all, but in practice, low privileged EBS accounts are common across enterprise environments and obtainable through credential harvesting, phishing, or insider access.

Attack Flow

Based on the CVE description and Oracle advisory, the exploitation path follows this sequence:

  1. Network access via HTTP: The attacker reaches the Oracle EBS web tier over HTTP or HTTPS. Internet-facing EBS deployments are at highest risk, though intranet-exposed instances are also vulnerable to lateral movement from a compromised internal host.

  2. Low privilege authentication: The attacker authenticates with valid credentials that carry only basic application access. This does not require an administrative or financial module-specific role; any standard user account with basic EBS access is sufficient.

  3. Exploitation of Common Components: The attacker leverages the vulnerability in the Common Components layer. Because this layer is shared across financial modules, the scope change indicates that the confidentiality breach extends to other EBS products that share the same security boundary.

  4. Data access across modules: Successful exploitation results in "unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data," per the NVD description. The scope change means this access may extend to data managed by other EBS modules that rely on the Common Components infrastructure.

The purely confidentiality-focused nature of this vulnerability (C:H/I:N/A:N) means there is no direct integrity or availability degradation. Detection strategies should therefore focus on unauthorized data access and exfiltration patterns rather than system disruption or modification.

No CWE Classification

No CWE ID has been assigned to this vulnerability as of the NVD publication date. This limits automated vulnerability categorization and may delay integration with security tooling that relies on CWE mappings for prioritization. The absence of a CWE also means we cannot definitively categorize the root cause (e.g., improper access control, information disclosure, authorization bypass), though the CVSS vector characteristics are consistent with an authorization or access control flaw in the shared component layer.

Context Within the May 2026 CSPU

CVE-2026-46821 is one of 12 new security patches for Oracle E-Business Suite included in the May 2026 CSPU. For context, here are several of the other EBS vulnerabilities addressed in the same release:

CVE IDEBS ComponentCVSS ScoreKey Characteristics
CVE-2026-46821Financials Common Modules (Common Components)7.7Low privilege, network, scope change, confidentiality only
CVE-2026-46822Oracle iAssets9.9Critical, full CIA impact
CVE-2026-46824Oracle Universal Work Queue9.9Critical, full CIA impact
CVE-2026-46820Financials Common ModulesNot specifiedSame product family, different component
CVE-2026-46817Oracle PaymentsNot specifiedPayment module
CVE-2026-46818Oracle PaymentsNot specifiedPayment module
CVE-2026-46827Oracle PayrollNot specifiedPayroll module

The two CVSS 9.9 vulnerabilities (CVE-2026-46822 and CVE-2026-46824) carry the highest urgency, but CVE-2026-46821's scope change and confidentiality focus make it particularly dangerous for organizations with sensitive financial data distributed across EBS modules.

Patch Information

Oracle addressed CVE-2026-46821 as part of its inaugural Critical Security Patch Update (CSPU) for May 2026, released on May 28, 2026. This is a significant milestone: the May 2026 CSPU is Oracle's first release under their new monthly CSPU program, a supplementary patching cadence designed to deliver targeted, high priority security fixes between the traditional quarterly Critical Patch Updates (CPUs).

The fix is delivered through Oracle's standard patching infrastructure. Customers with valid support contracts can obtain the specific patch numbers by consulting My Oracle Support Note KA923, which is referenced in the CSPU advisory. The patch availability document for Oracle E-Business Suite (versions 12.2.3 through 12.2.15) provides detailed installation instructions. As is typical with Oracle's closed source patching model, no source level diffs or commit details are publicly available; the remediation is distributed as binary patches through My Oracle Support.

Key patching considerations:

  • Patches are provided only for product versions covered under Premier Support or Extended Support phases of Oracle's Lifetime Support Policy. Organizations running unsupported versions must upgrade to a supported release before patching.
  • The CSPU complements Oracle's quarterly cumulative Critical Patch Updates (CPUs), so organizations should ensure both the May 2026 CSPU and the most recent CPU are applied.
  • Oracle also recommends applying the May 2026 CSPU to the Oracle Database and Oracle Fusion Middleware components within EBS environments, as "the exposure of Oracle E-Business Suite products is dependent on the versions of Oracle Database and Oracle Fusion Middleware being used."
  • The May 2026 CSPU bundled a total of 35 new security patches across several Oracle product families. Within the E-Business Suite family specifically, 12 new security patches were included, three of which address vulnerabilities that are remotely exploitable without authentication.

Oracle notes that "workarounds like blocking network protocols or removing unnecessary privileges might reduce risk" but explicitly cautions that these "are not long-term solutions and may impact application functionality." Interim measures organizations may consider include restricting network access to EBS web tiers, reviewing and reducing low privilege account populations with access to Financials Common Modules, and monitoring EBS audit logs for unauthorized data access patterns.

The shift to monthly CSPUs is a positive development for Oracle's security posture, but it demands that organizations accelerate their own patch management cycles. Where quarterly CPUs allowed 90 day planning windows, monthly CSPUs require continuous vulnerability assessment and faster deployment.

Affected Systems and Versions

All supported versions of Oracle E-Business Suite from 12.2.3 through 12.2.15 are affected. This spans approximately 13 point releases, covering virtually every currently supported EBS 12.2 deployment.

Notably, this extends one version beyond the previously known CVE-2025-61882 range (12.2.3 through 12.2.14), meaning version 12.2.15 is newly within the affected scope.

The specific affected product and component:

  • Product: Oracle Financials Common Modules (part of Oracle E-Business Suite)
  • Sub-component: Common Components
  • Versions: 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14, 12.2.15

No deployed supported version of Oracle EBS 12.2 is immune. Organizations running any version in this range should treat patching as the only definitive remediation path.

Vendor Security History

Oracle E-Business Suite has a well documented history of security vulnerabilities, several of which have resulted in active exploitation:

VulnerabilityCVSSDateStatus
CVE-2025-618829.8October 2025Actively exploited in ransomware campaigns; added to CISA KEV
CVE-2025-21516Not specifiedJanuary 2026Authentication bypass in EBS
CVE-2025-21489Not specifiedJanuary 2026EBS critical patch update
CVE-2026-468217.7May 2026No confirmed wild exploitation

The CVE-2025-61882 incident is the most instructive precedent. That critical unauthenticated remote code execution flaw in Oracle EBS versions 12.2.3 through 12.2.14 was exploited in active ransomware campaigns beginning as early as August 9, 2025, approximately two months before Oracle released an out of band patch on October 4, 2025. CISA added it to the Known Exploited Vulnerabilities catalog on October 6, 2025. The campaigns were attributed to the Cl0p ransomware group, with researchers observing signs of collaboration or code sharing with Scattered Spider, LAPSUS$, and ShinyHunters.

The April 2026 CPU alone addressed 481 security vulnerabilities across Oracle's product portfolio. The January 2026 CPU contained 8 new security patches for EBS, 2 of which were remotely exploitable without authentication.

Oracle also confirmed a data breach via outdated servers in a separate incident, while denying a breach of its cloud infrastructure. This incident underscores the risk associated with unpatched on premises EBS deployments.

The recurring pattern of EBS vulnerabilities, particularly in the 12.2.x version range, suggests architectural weaknesses in the shared component layers that continue to be discovered. The Common Components sub-component of Financials Common Modules, where CVE-2026-46821 resides, is an example of such a shared layer.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization