CVE-2026-46823: Oracle Public Sector Financials Authorization Bypass – CVSS 7.7 HIGH
CVE-2026-46823 is an authorization flaw in Oracle Public Sector Financials (International), a module of Oracle E-Business Suite. An attacker with a low-privileged account and network access can bypass authorization controls to read sensitive financial data that should be restricted. The vulnerability requires valid credentials but no user interaction, making it a straightforward privilege escalation path. Affected versions range from 12.2.6 through 12.2.15.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from an authorization weakness (CWE-863: Incorrect Authorization) in the Oracle Public Sector Financials (International) component. The flaw allows an authenticated attacker to access confidential data beyond their assigned privileges through an HTTPS-based vector. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicates low attack complexity, no user interaction required, and cross-system scope change—meaning compromise of this component can affect other dependent systems within the EBS environment. There is no integrity or availability impact; this is purely a data confidentiality issue.
Business impact
Public sector organizations using Oracle E-Business Suite for financial management face exposure of sensitive fiscal data, including budget information, expenditures, and audit trails that may be subject to regulatory compliance requirements. Unauthorized access by internal actors (or those with compromised low-privilege credentials) could lead to data theft, regulatory violations, loss of audit trail integrity for forensic purposes, and reputational harm. The cross-scope nature of the vulnerability means lateral access into other EBS modules or systems is possible, amplifying the blast radius.
Affected systems
Directly affected: Oracle Public Sector Financials (International) module versions 12.2.6, 12.2.7, through 12.2.15 within Oracle E-Business Suite. Indirectly at risk: other Oracle E-Business Suite modules and integrated systems that share authentication realms or consume financial data from Public Sector Financials. Organizations must identify all EBS instances running the affected versions and any external systems with data dependencies on this component.
Exploitability
This vulnerability is easily exploitable. An attacker requires only a valid low-privileged user account (such as a junior analyst or read-only user role) and network connectivity to the HTTPS interface. No zero-day exploitation techniques, unusual attack chains, or social engineering are needed. The straightforward nature of the attack makes it attractive to both opportunistic threat actors and insider threat actors. However, it is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been formally documented, though this does not rule out targeted attacks.
Remediation
Apply the security patch released by Oracle. Organizations should prioritize this update given the ease of exploitation and sensitivity of financial data. Test patches in a staging environment first to ensure compatibility with existing EBS customizations and dependent modules. In parallel, implement compensating controls: restrict network access to EBS HTTPS endpoints via firewall rules, enforce strict role-based access controls (RBAC) to minimize low-privileged user permissions, and enable detailed audit logging on financial data access to detect anomalies.
Patch guidance
Contact Oracle or consult your Oracle support account for the specific patch version addressing CVE-2026-46823 for your affected EBS release. Patches are typically cumulative; verify the patch bundle includes fixes for Oracle Public Sector Financials (International) authorization. Apply patches during a scheduled maintenance window after thorough testing. Confirm patch application by reviewing the system's installed patch history and re-running Oracle's PSU (Patch Set Update) validation tools.
Detection guidance
Monitor for suspicious data access patterns in Oracle Public Sector Financials (International): flag queries or reports run by low-privileged users accessing restricted financial datasets, track failed and successful authentication attempts to the financial module, search audit logs for privilege escalation or role assumption events, and correlate EBS activity with user job functions (e.g., why is a junior analyst accessing executive budget reports?). Enable Oracle's advanced auditing features for the affected component and forward audit data to your SIEM for correlation with other security events. Look for access from unusual IP ranges or outside normal business hours.
Why prioritize this
CVE-2026-46823 merits immediate attention due to the combination of high CVSS score (7.7), ease of exploitation, sensitivity of financial data at risk, and cross-system impact potential. The low barrier to entry (any low-privileged user) and absence of integrity/availability constraints mean attackers can conduct stealth reconnaissance without triggering alerts. Public sector organizations face heightened compliance obligations around financial data protection, making this breach particularly costly.
Risk score, explained
The CVSS 3.1 base score of 7.7 (HIGH severity) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction (UI:N), scope change (S:C—cross-system impact), and high confidentiality impact (C:H). The absence of integrity (I:N) and availability (A:N) impacts prevents a critical score, but the combination of ease of exploitation and data sensitivity justifies prioritization above standard high-severity issues.
Frequently asked questions
Do we need to patch immediately if we run Oracle E-Business Suite but are unsure if Public Sector Financials (International) is installed?
Yes, verify your EBS installation first. Run Oracle's configuration tools to confirm whether the Public Sector Financials (International) module is active. If it is and you are running version 12.2.6–12.2.15, apply the patch without delay. If the module is not installed, this CVE does not affect your environment.
Our low-privileged users need read access to some financial data for their roles. How can we mitigate risk if we cannot patch immediately?
Implement granular RBAC to restrict read-only users to specific financial datasets and reports they genuinely need; disable access to sensitive master data and exception reports. Use network segmentation to limit which IP ranges can access the EBS financial module. Enable real-time audit logging and anomaly detection to catch unauthorized access attempts. These are temporary compensating controls—patching remains the primary fix.
Is this vulnerability being actively exploited in the wild?
This CVE has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the latest update. However, the ease of exploitation means it is likely only a matter of time before it becomes a target. Do not wait for public evidence of exploitation before prioritizing your response.
Will the patch break our customizations or integrations to EBS?
Oracle patches are generally backward-compatible, but custom code, third-party integrations, and modified workflows may conflict. Always test patches in a non-production environment that mirrors your production configuration. Review any custom authorization logic or role definitions before deploying to production.
This analysis is based on publicly available CVE and vendor information as of the publication date. CVSS scores, patch versions, and KEV status reflect data current at time of writing; consult Oracle's official security advisories and patches for the most up-to-date guidance. Organizations should conduct their own risk assessments and internal testing before deploying patches to production systems. SEC.co does not provide legal or compliance advice; consult your legal and compliance teams regarding regulatory obligations related to this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-14774HIGHABB T-MAC Plus Denial-of-Service Vulnerability (CVSS 7.4)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2026-3514HIGHPrefect 3.6.19 Authentication Bypass via Health Check Exemptions
- CVE-2026-35482HIGHalf.io Sandbox Escape Allows Admin Command Execution
- CVE-2026-35674HIGHOpenClaw Gateway Scope Bypass Privilege Escalation
- CVE-2026-44654HIGHLibreChat File Deletion Cross-Agent Integrity Bypass
- CVE-2026-44850HIGHPortainer Bind Mount Restriction Bypass – HIGH Severity Security Flaw
- CVE-2026-44882HIGHPortainer Kubernetes Authorization Bypass Vulnerability