Introduction
A low privileged employee account on Oracle E-Business Suite is all it takes to achieve full takeover of Oracle Payroll, including access to salary data, bank account details, tax identifiers, and employee PII across the entire organization. CVE-2026-46827, disclosed in Oracle's May 2026 Critical Security Patch Update, is an authorization bypass in the Self Service Manager component of Oracle Payroll that scores CVSS 8.8 with High impact across confidentiality, integrity, and availability.
This matters beyond the technical details because Oracle EBS is deployed at approximately 21,656 organizations worldwide, and Oracle recently surpassed SAP as the number one ERP applications vendor. Every supported EBS 12.2 release, from 12.2.3 through 12.2.15, is affected. The vulnerability arrives less than a year after the Cl0p ransomware group exploited a different Oracle EBS zero-day (CVE-2025-61882) in a large-scale extortion campaign, establishing a clear pattern of threat actor interest in this product line.
Technical Information
Vulnerability Scope and Affected Component
CVE-2026-46827 targets the Self Service Manager component within Oracle Payroll, part of the broader Oracle E-Business Suite HCM module. The Self Service Manager provides a web-based HTTP interface through which employees can view payslips, update direct deposit information, and manage tax withholding selections. This component is exposed to all authenticated EBS users who have been granted self-service access.
The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15, which encompasses the entire supported release range of EBS Release 12.2.
CVSS 3.1 Vector Analysis
The full CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8 (High). Breaking this down:
| CVSS Component | Value | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over HTTP; no physical or local access required |
| Attack Complexity (AC) | Low | No special conditions needed; straightforward exploitation |
| Privileges Required (PR) | Low | Attacker needs only a low privileged authenticated account |
| User Interaction (UI) | None | No victim action needed to trigger the vulnerability |
| Scope (S) | Unchanged | Impact confined to the vulnerable Oracle Payroll component |
| Confidentiality (C) | High | Complete information disclosure possible |
| Integrity (I) | High | Complete modification of Payroll data possible |
| Availability (A) | High | Complete denial of service to Payroll possible |
The combination of low attack complexity and no user interaction means exploitation can be automated once an attacker obtains any valid low privilege credential. The High/High/High impact triad means a successful attack achieves functional equivalence to a full application takeover within the Oracle Payroll subsystem.
Attack Flow
Based on the CVSS vector, Oracle's advisory description, and the component's architecture, the exploitation follows a privilege escalation pattern consistent with enterprise ERP authorization bypass vulnerabilities:
-
Initial Access: The attacker authenticates to Oracle E-Business Suite with a low privileged account. This could be a standard employee self-service account, a compromised credential obtained through phishing or credential stuffing, or an insider with minimal access.
-
Targeting the Self Service Manager: The attacker sends crafted HTTP requests to the Self Service Manager component. Because this component is designed to be accessible to all employees with self-service roles, the attacker is already within the expected access boundary.
-
Authorization Bypass: The Self Service Manager fails to properly enforce authorization boundaries on certain operations. The crafted requests are processed with elevated privileges, granting the attacker access beyond their intended scope.
-
Payroll Takeover: The result, as described by Oracle, is "takeover of Oracle Payroll." This indicates the attacker gains the ability to view, modify, or delete all payroll data and potentially disrupt payroll processing operations. The data at risk includes salary information, bank account details for direct deposits, tax identifiers (SSNs, TINs), and comprehensive employee PII.
According to the Oracle May 2026 CSPU risk matrix, CVE-2026-46827 is not remotely exploitable without authentication (the "Remote Exploit without Auth" column reads "No"), distinguishing it from three other CVEs in the same advisory that allow unauthenticated exploitation.
Systemic Pattern: Multiple Payroll CVEs
CVE-2026-46827 is not an isolated finding. The same May 2026 CSPU addresses at least two payroll-related vulnerabilities:
| CVE | Component | CVSS | Remote Without Auth |
|---|---|---|---|
| CVE-2026-46827 | Oracle Payroll: Self Service Manager | 8.8 | No |
| CVE-2026-46826 | Oracle Payroll: Internal Operations over HTTPS | 8.8 | Not confirmed |
| CVE-2026-46837 | Oracle Flow Manufacturing: Security over SQL | 8.8 | Not confirmed |
Two payroll CVEs with identical CVSS scores in the same patch cycle suggest a cluster of authorization enforcement weaknesses in the Oracle Payroll subsystem, pointing to a broader architectural concern rather than a single isolated coding error. The Self Service Manager and Internal Operations components may share common authorization architecture with multiple bypass points.
Information Gaps
The NVD entry is marked "Awaiting Enrichment" as of May 29, 2026. No CVSS 4.0 score, CWE classification, or expanded technical analysis has been published by NIST. The specific nature of the authorization bypass (whether it is an insecure direct object reference, missing function level access control, or parameter tampering) has not been publicly documented. No proof of concept code or detailed exploit write-up has been identified in public sources.
Affected Systems and Versions
The vulnerability affects the following:
- Product: Oracle Payroll
- Suite: Oracle E-Business Suite
- Component: Self Service Manager
- Affected Versions: 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14, and 12.2.15
- Protocol: HTTP
This version range covers the entire supported release range of Oracle E-Business Suite Release 12.2. Any organization running EBS 12.2 with the Oracle Payroll module and Self Service Manager component enabled is potentially vulnerable.
The May 2026 CSPU contains 12 total security patches for Oracle E-Business Suite, three of which address vulnerabilities that are remotely exploitable without authentication. Organizations should plan a bundled EBS patch application rather than addressing CVE-2026-46827 in isolation.
Vendor Security History
Oracle's E-Business Suite has a notable recent security track record that provides important context for evaluating CVE-2026-46827.
CVE-2025-61882: The Cl0p Precedent
The most significant prior event was CVE-2025-61882, a CVSS 9.8 critical vulnerability in the Concurrent Processing component through its BI Publisher Integration, affecting versions 12.2.3 through 12.2.14. This vulnerability was exploited in the wild by the Cl0p ransomware group in a large-scale extortion campaign. The flaw allowed unauthenticated remote code execution over HTTP.
CVE-2025-61882 was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog and flagged as being used in ransomware campaigns. Google Cloud's Mandiant team confirmed that "a financially motivated actor conducting a large-scale extortion campaign under the CL0P brand" exploited the zero-day. Halcyon reported that Cl0p "likely used a newly-identified zero-day (CVE-2025-61882) and additional Oracle vulnerabilities to exploit internet-facing" Oracle EBS instances.
The Australian Cyber Security Centre (ACSC) and the Canadian Centre for Cyber Security both issued formal alerts urging immediate patching.
Patch Volume and Cadence
Oracle's Critical Patch Update program addresses large volumes of vulnerabilities. The April 2026 CPU contained 481 new security patches across a wide range of products. The January 2026 CPU contained 8 new security patches for Oracle E-Business Suite alone, 2 of which were remotely exploitable without authentication.
Beginning in May 2026, Oracle transitioned to a monthly CSPU release cycle, enabling faster protection against emerging threats compared to the previous quarterly schedule. This structural improvement is significant, but the repeated discovery of high severity EBS vulnerabilities (CVSS 9.8 in October 2025, CVSS 8.8 in May 2026) suggests ongoing challenges in the legacy codebase, particularly around authorization enforcement in self-service components exposed over HTTP.
Threat Intelligence Context
As of May 29, 2026, no evidence of active exploitation of CVE-2026-46827 in the wild has been identified. The CVE is less than 48 hours old. No proof of concept exploits have been observed on GitHub, exploit databases, or cybercriminal forums.
However, the absence of current exploitation does not imply low risk. Several factors elevate the exploitation likelihood over time:
- Low privilege requirement: Any compromised employee account or stolen credential provides sufficient access to attempt exploitation, unlike CVE-2025-61882 which required no authentication at all.
- HTTP based attack vector: Exploitation can be conducted over the same web channels used for legitimate Self Service Manager access, making detection harder.
- High value target: Oracle Payroll contains salary data, bank account details, tax identifiers, and employee PII, data that commands high value on illicit markets and enables further attacks such as payroll diversion fraud.
- Proven threat actor interest: Cl0p and potentially other groups have demonstrated willingness and capability to exploit Oracle EBS vulnerabilities. Bitsight observed growing chatter in cybercriminal forums regarding CVE-2025-61882 even before a public proof of concept was released, indicating that threat actors monitor Oracle vulnerability disclosures closely.
Organizations should operate under the assumption that the window between public disclosure and active exploitation is narrowing, particularly given the precedent of CVE-2025-61882 moving from disclosure to CISA KEV listing within days.
References
- NVD: CVE-2026-46827
- Oracle Security Critical Patch Update Advisory: May 2026
- Oracle Security Alerts Portal
- Oracle Security Alert: CVE-2025-61882
- Oracle Critical Patch Update Advisory: January 2026
- Oracle Critical Patch Update Advisory: April 2026
- Rapid7: Critical 0day in Oracle E-Business Suite Exploited in the Wild (CVE-2025-61882)
- Google Cloud / Mandiant: Oracle E-Business Suite Zero-Day Exploitation
- Halcyon: Cl0p Abuses Oracle E-Business Suite for Account Takeover
- Bitsight: CVE-2025-61882 in Oracle E-Business Suite: Details, Next Steps
- Australian Cyber Security Centre: Critical Vulnerability in Oracle E-Business Suite
- Canadian Centre for Cyber Security: AL25-013
- Tenable: CVE-2025-61882 FAQ
- Apps Run the World: Oracle Surpasses SAP To Become No. 1 ERP Apps Provider
- Oracle EBS Users List (InfoClutch)
- Oracle E-Business Suite Security Guide
- Oracle EBS HCM and Self-Service Overview



