Introduction
Oracle's inaugural monthly Critical Security Patch Update, released May 28, 2026, includes a fix for a high severity confidentiality vulnerability in Oracle E-Business Suite that allows a low privileged attacker to read critical financial data across multiple EBS products from a single entry point. CVE-2026-46821 sits in the Common Components layer of Oracle Financials Common Modules, a shared infrastructure component that underpins intercompany transactions, payables netting, receivables netting, and other cross-cutting financial operations, and the scope change designation in its CVSS vector means the blast radius extends well beyond the immediately vulnerable module.
This is particularly notable given the recent history of Oracle EBS exploitation. The CVE-2025-61882 ransomware campaigns demonstrated that threat actors, including Cl0p and associated groups, have both the capability and the motivation to target EBS deployments. While CVE-2026-46821 is a different class of vulnerability (confidentiality only, requiring authentication), the established attacker ecosystem around EBS makes prompt attention warranted.
Technical Information
Vulnerability Overview
CVE-2026-46821 affects the Common Components sub-component within Oracle Financials Common Modules, part of Oracle E-Business Suite. The Oracle Financials Common Modules product provides shared financial infrastructure across EBS, covering the Advanced Global Intercompany System, Payables and Receivables Netting, and other cross-cutting financial functions. The Common Components layer likely serves as a foundational shared service across multiple financial modules, which is precisely why the vulnerability carries a scope change designation.
The vulnerability was published to the National Vulnerability Database on May 28, 2026, sourced from Oracle's security alert team.
CVSS 3.1 Vector Breakdown
The complete CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, yielding a Base Score of 7.7. Here is how each metric contributes:
| CVSS Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network |
| Attack Complexity (AC) | Low (L) | No specialized conditions required |
| Privileges Required (PR) | Low (L) | Attacker needs only a low privileged account |
| User Interaction (UI) | None (N) | No victim action needed |
| Scope (S) | Changed (C) | Impact crosses security boundary to other products |
| Confidentiality (C) | High (H) | Complete access to all accessible data |
| Integrity (I) | None (N) | No data modification |
| Availability (A) | None (N) | No denial of service |
The Base Score of 7.7 is driven primarily by the combination of High confidentiality impact with a Changed scope. Without the scope change, a similar vulnerability would score lower. The low privilege requirement is a meaningful distinction from CVE-2025-61882, which required no authentication at all, but in practice, low privileged EBS accounts are common across enterprise environments and obtainable through credential harvesting, phishing, or insider access.
Attack Flow
Based on the CVE description and Oracle advisory, the exploitation path follows this sequence:
-
Network access via HTTP: The attacker reaches the Oracle EBS web tier over HTTP or HTTPS. Internet-facing EBS deployments are at highest risk, though intranet-exposed instances are also vulnerable to lateral movement from a compromised internal host.
-
Low privilege authentication: The attacker authenticates with valid credentials that carry only basic application access. This does not require an administrative or financial module-specific role; any standard user account with basic EBS access is sufficient.
-
Exploitation of Common Components: The attacker leverages the vulnerability in the Common Components layer. Because this layer is shared across financial modules, the scope change indicates that the confidentiality breach extends to other EBS products that share the same security boundary.
-
Data access across modules: Successful exploitation results in "unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data," per the NVD description. The scope change means this access may extend to data managed by other EBS modules that rely on the Common Components infrastructure.
The purely confidentiality-focused nature of this vulnerability (C:H/I:N/A:N) means there is no direct integrity or availability degradation. Detection strategies should therefore focus on unauthorized data access and exfiltration patterns rather than system disruption or modification.
No CWE Classification
No CWE ID has been assigned to this vulnerability as of the NVD publication date. This limits automated vulnerability categorization and may delay integration with security tooling that relies on CWE mappings for prioritization. The absence of a CWE also means we cannot definitively categorize the root cause (e.g., improper access control, information disclosure, authorization bypass), though the CVSS vector characteristics are consistent with an authorization or access control flaw in the shared component layer.
Context Within the May 2026 CSPU
CVE-2026-46821 is one of 12 new security patches for Oracle E-Business Suite included in the May 2026 CSPU. For context, here are several of the other EBS vulnerabilities addressed in the same release:
| CVE ID | EBS Component | CVSS Score | Key Characteristics |
|---|---|---|---|
| CVE-2026-46821 | Financials Common Modules (Common Components) | 7.7 | Low privilege, network, scope change, confidentiality only |
| CVE-2026-46822 | Oracle iAssets | 9.9 | Critical, full CIA impact |
| CVE-2026-46824 | Oracle Universal Work Queue | 9.9 | Critical, full CIA impact |
| CVE-2026-46820 | Financials Common Modules | Not specified | Same product family, different component |
| CVE-2026-46817 | Oracle Payments | Not specified | Payment module |
| CVE-2026-46818 | Oracle Payments | Not specified | Payment module |
| CVE-2026-46827 | Oracle Payroll | Not specified | Payroll module |
The two CVSS 9.9 vulnerabilities (CVE-2026-46822 and CVE-2026-46824) carry the highest urgency, but CVE-2026-46821's scope change and confidentiality focus make it particularly dangerous for organizations with sensitive financial data distributed across EBS modules.
Patch Information
Oracle addressed CVE-2026-46821 as part of its inaugural Critical Security Patch Update (CSPU) for May 2026, released on May 28, 2026. This is a significant milestone: the May 2026 CSPU is Oracle's first release under their new monthly CSPU program, a supplementary patching cadence designed to deliver targeted, high priority security fixes between the traditional quarterly Critical Patch Updates (CPUs).
The fix is delivered through Oracle's standard patching infrastructure. Customers with valid support contracts can obtain the specific patch numbers by consulting My Oracle Support Note KA923, which is referenced in the CSPU advisory. The patch availability document for Oracle E-Business Suite (versions 12.2.3 through 12.2.15) provides detailed installation instructions. As is typical with Oracle's closed source patching model, no source level diffs or commit details are publicly available; the remediation is distributed as binary patches through My Oracle Support.
Key patching considerations:
- Patches are provided only for product versions covered under Premier Support or Extended Support phases of Oracle's Lifetime Support Policy. Organizations running unsupported versions must upgrade to a supported release before patching.
- The CSPU complements Oracle's quarterly cumulative Critical Patch Updates (CPUs), so organizations should ensure both the May 2026 CSPU and the most recent CPU are applied.
- Oracle also recommends applying the May 2026 CSPU to the Oracle Database and Oracle Fusion Middleware components within EBS environments, as "the exposure of Oracle E-Business Suite products is dependent on the versions of Oracle Database and Oracle Fusion Middleware being used."
- The May 2026 CSPU bundled a total of 35 new security patches across several Oracle product families. Within the E-Business Suite family specifically, 12 new security patches were included, three of which address vulnerabilities that are remotely exploitable without authentication.
Oracle notes that "workarounds like blocking network protocols or removing unnecessary privileges might reduce risk" but explicitly cautions that these "are not long-term solutions and may impact application functionality." Interim measures organizations may consider include restricting network access to EBS web tiers, reviewing and reducing low privilege account populations with access to Financials Common Modules, and monitoring EBS audit logs for unauthorized data access patterns.
The shift to monthly CSPUs is a positive development for Oracle's security posture, but it demands that organizations accelerate their own patch management cycles. Where quarterly CPUs allowed 90 day planning windows, monthly CSPUs require continuous vulnerability assessment and faster deployment.
Affected Systems and Versions
All supported versions of Oracle E-Business Suite from 12.2.3 through 12.2.15 are affected. This spans approximately 13 point releases, covering virtually every currently supported EBS 12.2 deployment.
Notably, this extends one version beyond the previously known CVE-2025-61882 range (12.2.3 through 12.2.14), meaning version 12.2.15 is newly within the affected scope.
The specific affected product and component:
- Product: Oracle Financials Common Modules (part of Oracle E-Business Suite)
- Sub-component: Common Components
- Versions: 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14, 12.2.15
No deployed supported version of Oracle EBS 12.2 is immune. Organizations running any version in this range should treat patching as the only definitive remediation path.
Vendor Security History
Oracle E-Business Suite has a well documented history of security vulnerabilities, several of which have resulted in active exploitation:
| Vulnerability | CVSS | Date | Status |
|---|---|---|---|
| CVE-2025-61882 | 9.8 | October 2025 | Actively exploited in ransomware campaigns; added to CISA KEV |
| CVE-2025-21516 | Not specified | January 2026 | Authentication bypass in EBS |
| CVE-2025-21489 | Not specified | January 2026 | EBS critical patch update |
| CVE-2026-46821 | 7.7 | May 2026 | No confirmed wild exploitation |
The CVE-2025-61882 incident is the most instructive precedent. That critical unauthenticated remote code execution flaw in Oracle EBS versions 12.2.3 through 12.2.14 was exploited in active ransomware campaigns beginning as early as August 9, 2025, approximately two months before Oracle released an out of band patch on October 4, 2025. CISA added it to the Known Exploited Vulnerabilities catalog on October 6, 2025. The campaigns were attributed to the Cl0p ransomware group, with researchers observing signs of collaboration or code sharing with Scattered Spider, LAPSUS$, and ShinyHunters.
The April 2026 CPU alone addressed 481 security vulnerabilities across Oracle's product portfolio. The January 2026 CPU contained 8 new security patches for EBS, 2 of which were remotely exploitable without authentication.
Oracle also confirmed a data breach via outdated servers in a separate incident, while denying a breach of its cloud infrastructure. This incident underscores the risk associated with unpatched on premises EBS deployments.
The recurring pattern of EBS vulnerabilities, particularly in the 12.2.x version range, suggests architectural weaknesses in the shared component layers that continue to be discovered. The Common Components sub-component of Financials Common Modules, where CVE-2026-46821 resides, is an example of such a shared layer.
References
- NVD: CVE-2026-46821
- CVE Record: CVE-2026-46821
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Security Alerts
- Monthly Critical Security Patch Updates (CSPUs) Begin May 28, 2026
- Oracle to Release Monthly Critical Security Patch Updates (CSPUs)
- Oracle Financials Common Modules Documentation
- Oracle EBS Flaw Exploited in Active Ransomware Campaigns (CVE-2025-61882)
- Critical Vulnerability Alert: CVE-2025-61882 in Oracle E-Business Suite
- Investigation into Oracle E-Business Suite Exploit Components (CVE-2025-61882)
- Oracle Security Alert Advisory: CVE-2025-61882
- VulnCheck State of Exploitation 2026
- Oracle Critical Patch Update, April 2026 Security Update Review (Qualys)
- Oracle Critical Patch Update Advisory, January 2026
- Oracle confirms data breach via outdated servers



