Oracle disclosed a CVSS 9.9 vulnerability in Oracle iAssets (E-Business Suite) that lets a low-privileged network attacker take over the component and pivot into additional products via a scope change.
What Is It
CVE-2026-46822 is an easily exploitable vulnerability in the Internal Operations component of Oracle iAssets, part of Oracle E-Business Suite. Oracle rates it CVSS 3.1 base score 9.9 (CRITICAL) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. Exploitation requires network access over HTTP and only low privileges, with no user interaction. Because the scope is "Changed," a successful attack on iAssets can significantly impact additional products beyond the vulnerable component itself. Confidentiality, integrity, and availability impacts are all rated HIGH, and the outcome is full takeover of Oracle iAssets.
Why It Matters
The combination of low attack complexity, low privilege requirement, no user interaction, and a network-reachable HTTP attack vector makes this a strong candidate for opportunistic exploitation against exposed E-Business Suite deployments. The scope change is particularly notable: attacker access in iAssets can extend the blast radius into adjacent Oracle products in the same environment, turning a single foothold into broader enterprise compromise. Oracle E-Business Suite typically underpins finance, procurement, and asset management workflows, so successful takeover carries direct business and data-integrity risk. CISA KEV does not currently list this CVE as actively exploited, but the CVSS profile and prior history of Oracle E-Business Suite issues warrant urgent patching regardless.
What's Vulnerable
- Product: Oracle iAssets (Oracle E-Business Suite)
- Component: Internal Operations
- Affected versions: 12.2.3 through 12.2.15 (supported releases)
- Attack prerequisites: Network access via HTTP, low-privileged account, no user interaction
Patch Status
Oracle published the fix as part of its Critical Security Patch Update for May 2026 (cspumay2026). Administrators running Oracle E-Business Suite versions 12.2.3–12.2.15 should apply the May 2026 CPU promptly. Given the scope-change behavior and HIGH impact across CIA, prioritize internet-exposed or partner-accessible iAssets instances first, and audit existing low-privileged accounts that could be abused as a launch point.
Sources
- Oracle Critical Patch Update Advisory; May 2026: https://www.oracle.com/security-alerts/cspumay2026.html
- NVD entry for CVE-2026-46822: https://nvd.nist.gov/vuln/detail/CVE-2026-46822