Introduction
Oracle's inaugural monthly Critical Security Patch Update, released May 28, 2026, includes a vulnerability in Oracle Payroll that allows any low privileged user with network access to achieve full takeover of the Payroll application, including unrestricted access to employee compensation, banking, and tax data. This is not a theoretical concern: Oracle E-Business Suite was the target of a large scale Cl0p ransomware campaign just months ago via CVE-2025-61882, and the Payroll subsystem now appears in the advisory with not one but three distinct high severity CVEs.
CVE-2026-46826 resides in the Internal Operations component of Oracle Payroll and carries a CVSS 3.1 base score of 8.8. It affects all supported EBS versions from 12.2.3 through 12.2.15, a range spanning over a decade of production deployments. The vulnerability requires only a low privilege authenticated session over HTTPS, no user interaction, and no specialized attack conditions, making it accessible to any attacker who can obtain or compromise a basic EBS account.
Technical Information
Vulnerability Classification and CVSS Breakdown
CVE-2026-46826 was published to the NVD on May 28, 2026 at 21:16:32 UTC. The vulnerability affects the Internal Operations component of Oracle Payroll within Oracle E-Business Suite. Oracle's advisory describes the impact as enabling "takeover of Oracle Payroll," which in CVSS terms corresponds to High impact across all three pillars: confidentiality, integrity, and availability.
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:
| CVSS Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No specialized conditions required |
| Privileges Required (PR) | Low | Any low privilege account suffices |
| User Interaction (UI) | None | No victim action needed |
| Scope (S) | Unchanged | Impact confined to Oracle Payroll |
| Confidentiality (C) | High | Full access to payroll data |
| Integrity (I) | High | Data modification possible |
| Availability (A) | High | Payroll service disruption possible |
No CWE ID has been assigned by Oracle or the NVD. This is consistent with Oracle's standard disclosure practice of withholding specific technical details about the vulnerability mechanism (such as whether the flaw involves SQL injection, privilege escalation, deserialization, or another class of issue).
Attack Surface and Exploitation Path
The vulnerability is exploitable over HTTPS, meaning the attack surface is the same web interface used for legitimate EBS access. Oracle's advisory confirms this is "not remotely exploitable without authentication," so an attacker must possess at least low level credentials. The protocol specification of HTTPS (rather than HTTP) indicates the vulnerability is in a secure channel endpoint of the Payroll Internal Operations component.
The practical exploitation path would follow this general sequence:
- Credential acquisition: The attacker obtains a low privilege EBS account. This could come from credential stuffing, phishing, compromised service accounts with static credentials, or credentials purchased on dark markets.
- Authenticated access: The attacker authenticates to the EBS web interface over HTTPS using the low privilege account.
- Exploitation of Internal Operations component: Through the authenticated session, the attacker targets the vulnerable Internal Operations component of Oracle Payroll. The specific mechanism is undisclosed, but the result is complete takeover of Oracle Payroll.
- Post exploitation: With full control over Oracle Payroll, the attacker can read all employee compensation data, banking details, and tax identifiers (confidentiality); modify payroll records, redirect payments, or alter tax withholdings (integrity); and disrupt payroll processing (availability).
Context from Prior EBS Exploitation
While CVE-2026-46826 is a different vulnerability in a different component, the prior exploitation of CVE-2025-61882 illustrates the class of server side code execution flaws that Oracle EBS has exhibited. In that case, the attack chain involved manipulating EBS configuration endpoints to force EBS to fetch a malicious XSL stylesheet from an attacker controlled server. The server side XSLT evaluation then invoked Java's ScriptEngine to execute operating system commands via Runtime.getRuntime().exec(). This sophisticated chain transformed a server side template injection flaw into full remote code execution. The CVE-2025-61882 case demonstrates that EBS vulnerabilities can enable deep system compromise, not just application level access.
Clustering of Payroll CVEs
Three Oracle Payroll vulnerabilities appear in the May 2026 CSPU, all affecting EBS versions 12.2.3 through 12.2.15:
| CVE ID | Component | CVSS | Protocol | Privileges Required | Impact Profile |
|---|---|---|---|---|---|
| CVE-2026-46826 | Internal Operations | 8.8 | HTTPS | Low | C:H / I:H / A:H |
| CVE-2026-46827 | Self Service Manager | 8.8 | HTTP | Low | C:H / I:H / A:H |
| CVE-2026-46828 | Internal Operations | 8.1 | HTTP | Low | C:H / I:H / A:N |
CVE-2026-46828 shares the Internal Operations component with CVE-2026-46826 but lacks availability impact (A:N versus A:H), potentially indicating a related but distinct flaw. The clustering of three Payroll CVEs in a single advisory suggests that the Payroll subsystem underwent focused security review, likely in response to the CVE-2025-61882 aftermath. Organizations should treat all three as a unified remediation task.
Data Sensitivity Considerations
Oracle Payroll processes some of the most sensitive data in any enterprise: employee compensation amounts, bank account numbers for direct deposit, tax identification numbers (SSN/TIN), withholding elections, and garnishment orders. A breach of this data triggers specific regulatory obligations under GDPR, PCI DSS, and various national data protection laws. The confidentiality impact of CVE-2026-46826 is qualitatively different from a generic EBS data access vulnerability because of the nature of the data at risk.
Affected Systems and Versions
The vulnerability affects the following:
- Product: Oracle Payroll
- Suite: Oracle E-Business Suite
- Component: Internal Operations
- Affected versions: 12.2.3 through 12.2.15 (all supported versions in this range)
- Protocol: HTTPS
Oracle notes that earlier versions (prior to 12.2.3) may also be affected but are under Extended Support or are no longer supported. Organizations running versions prior to 12.2.3 should verify their exposure through Oracle Support, as patches for unsupported versions may not be available, making upgrade the only viable remediation path.
The two companion Payroll CVEs (CVE-2026-46827 and CVE-2026-46828) share the same affected version range of 12.2.3 through 12.2.15.
Vendor Security History
Oracle E-Business Suite has a documented and concerning history of severe, actively exploited vulnerabilities:
CVE-2022-21587 (CVSS 9.8): An unauthenticated remote code execution vulnerability in Oracle E-Business Suite that was exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog. The specific threat actor was not publicly identified.
CVE-2025-61882 (CVSS 9.8): A critical zero day in Oracle EBS Concurrent Processing, exploited by the Cl0p ransomware gang beginning approximately August 2025, roughly two months before Oracle's public disclosure on October 4, 2025. CISA added this CVE to its KEV catalog on October 6, 2025. The attack chain involved manipulating EBS configuration endpoints to force the server to fetch and evaluate a malicious XSL stylesheet, ultimately achieving operating system command execution through Java's ScriptEngine. Google's Mandiant team tracked a "large scale extortion campaign" targeting EBS environments worldwide. A secondary threat actor, SCATTERED LAPSUS$ (also known as Shiny Hunters), publicly released exploit code on Telegram, dramatically expanding the threat landscape by lowering the barrier for opportunistic attackers.
CVE-2025-61884: Disclosed in the same alert as CVE-2025-61882, though not confirmed as actively exploited.
This track record establishes that Oracle EBS is a recurring, high value target for financially motivated threat actors. The gap between private exploitation and public disclosure in the CVE-2025-61882 case (approximately two months) is a critical data point: the absence of known exploitation of CVE-2026-46826 today does not predict its status in the coming weeks.
Oracle's Shift to Monthly Patching
The May 2026 CSPU represents a significant change in Oracle's security posture. Oracle transitioned from quarterly Critical Patch Updates to monthly Critical Security Patch Updates beginning May 28, 2026. Oracle stated this change "enables faster protection against emerging threats." This transition is a direct response to the demonstrated pattern of exploitation outpacing quarterly patch cycles. For organizations, this means adapting to a more frequent patching rhythm; the benefit of faster protection comes with the operational cost of monthly patch evaluation and deployment cycles.
Threat Intelligence Assessment
As of May 29, 2026, no confirmed in the wild exploitation of CVE-2026-46826 has been reported. The CVE was published less than 24 hours before this analysis. No threat intelligence feeds, security vendor reports, or government advisories have flagged this specific CVE as actively exploited.
Several factors increase the exploitation probability over time:
- Payroll data is high value: Employee compensation, banking details, and tax information are attractive targets for financial crime and extortion.
- Low privilege credentials are readily obtainable: Credential stuffing, phishing, and dark market availability mean the Low privilege requirement is a thinner barrier than the CVSS score alone suggests.
- EBS instances are often internet facing: Oracle EBS deployments frequently expose web interfaces for remote employee and manager self service access.
- Proven EBS exploitation playbooks exist: The CVE-2025-61882 campaign demonstrated that EBS vulnerabilities can be successfully exploited at scale, and adversary infrastructure and techniques may be adapted to new CVEs.
Organizations subject to CISA KEV compliance requirements should monitor for potential catalog addition in the coming weeks.
References
- Oracle Security Critical Patch Update Advisory, May 2026
- Text Form of Oracle CSPU May 2026 Risk Matrices
- Oracle Security Alerts Overview
- Oracle Blog: Monthly Critical Security Patch Updates Begin May 28, 2026
- Rapid7: Critical 0day in Oracle E-Business Suite Exploited in the Wild (CVE-2025-61882)
- Google Cloud / Mandiant: Oracle E-Business Suite Zero-Day Exploited in Widespread Campaign
- Oracle Security Alert: CVE-2025-61882
- NVD: CVE-2022-21587 Detail
- Risk Ledger: Oracle E-Business Suite Vulnerability
- Zeropath: Oracle E-Business Suite CVE-2025-61884 Summary
- Oracle Critical Patch Update Advisory, April 2026
- VulnCheck: Quantifying 2026 Routinely Targeted Vulnerabilities



