A critical (CVSS 9.8) vulnerability in the File Transmission component of Oracle Payments allows unauthenticated remote attackers to fully compromise Oracle E-Business Suite Payments over HTTP.
What Is It
CVE-2026-46817 is a critical flaw in the Oracle Payments product of Oracle E-Business Suite, specifically affecting the File Transmission component. Oracle's advisory describes it as "easily exploitable," requiring no authentication and no user interaction. An attacker only needs network access via HTTP to reach a vulnerable instance, and successful exploitation results in full takeover of Oracle Payments.
The CVSS 3.1 base score is 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability. Both the exploitability subscore (3.9) and impact subscore (5.9) reflect a worst-case profile: trivial reachability paired with complete system compromise.
Why It Matters
Oracle Payments handles funds disbursement, settlement, and financial transaction processing inside Oracle E-Business Suite; a system commonly deployed by enterprises and government entities for core financial operations. A pre-authentication HTTP takeover of this component means an attacker can compromise the system that moves money, without needing credentials or a foothold. The combination of unauthenticated network reachability, low attack complexity, and full CIA impact places this at the top tier of priority patching for any Oracle EBS operator.
Note: As of the NVD record's publication, there is no CISA KEV entry confirming active exploitation. That status can change quickly for unauthenticated RCE-class flaws in widely deployed enterprise software.
What's Vulnerable
- Product: Oracle Payments (component: File Transmission), part of Oracle E-Business Suite
- Affected versions: 12.2.3 through 12.2.15
- Attack vector: Network / HTTP
- Privileges required: None
- User interaction: None
Patch Status
Oracle addressed this issue in the Critical Patch Update Advisory of May 2026 (CPU May 2026). Administrators running Oracle E-Business Suite versions 12.2.3 through 12.2.15 should apply the relevant May 2026 CPU patches for Oracle Payments immediately. Where patching cannot occur promptly, restricting HTTP exposure of Oracle Payments endpoints to trusted networks is a sensible interim mitigation consistent with Oracle's guidance for network-reachable EBS components.