CVE-2026-46819: Critical Unauthenticated Flaw in Oracle Internet Procurement Connector

"A critical, easily exploitable vulnerability in Oracle E-Business Suite's Internet Procurement Connector allows unauthenticated remote attackers to read, modify, or destroy critical data over HTTP, carrying a CVSS 3.1…"

A critical, easily exploitable vulnerability in Oracle E-Business Suite's Internet Procurement Connector allows unauthenticated remote attackers to read, modify, or destroy critical data over HTTP, carrying a CVSS 3.1 base score of 9.1.

What Is It

CVE-2026-46819 is a critical vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite, specifically within the Internal Operations component. Oracle classifies it as easily exploitable by an unauthenticated attacker with network access via HTTP. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects network-reachable, low-complexity exploitation with no privileges or user interaction required, yielding high confidentiality and integrity impact.

Why It Matters

Successful exploitation can result in unauthorized creation, deletion, or modification of critical data, as well as unauthorized read access up to complete access of all data accessible to the Internet Procurement Connector. Because exploitation requires no authentication and only HTTP reachability, any internet-exposed or broadly network-reachable instance is at immediate risk of data theft and tampering. With a CVSS base score of 9.1 (CRITICAL) and exploitability sub-score of 3.9, the barrier to attack is low and the blast radius covers procurement and connected business data integrity.

What's Vulnerable

Product: Oracle E-Business Suite; Oracle Internet Procurement Connector
Component: Internal Operations
Affected versions: 12.2.3 through 12.2.15
Attack surface: HTTP, network-accessible, no authentication required

The supplied CISA KEV entry is empty, so active exploitation has not been confirmed via KEV at the time of this writing.

Patch Status

Oracle published this issue as part of the May 2026 Critical Patch Update advisory. Administrators should consult Oracle's advisory and apply the fixes for affected Oracle E-Business Suite 12.2.3–12.2.15 deployments. Until patched, restrict network exposure of the Internet Procurement Connector to trusted segments and review HTTP access logs for anomalous activity against the Internal Operations component.

Sources

NVD, CVE-2026-46819: https://nvd.nist.gov/vuln/detail/CVE-2026-46819
Oracle Critical Patch Update Advisory; May 2026: https://www.oracle.com/security-alerts/cspumay2026.html