Exploited Critical Vulnerability in the Oracle Payments Component of Oracle E-Business Suite

CVE-2026-46817 could allow unauthenticated remote takeover of Oracle Payments

Threat ID:: CC-4803
Threat Severity:: High
Published:: 29 June 2026 4:26 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2026-46817 could allow unauthenticated remote takeover of Oracle Payments

Affected platforms

The following platforms are known to be affected:

Oracle E-Business Suite

Oracle Payments

12.2.3 through 12.2.15

Threat details

Exploitation of CVE-2026-46817

Security researchers have reported observing exploitation of vulnerability CVE-2026-46817 in the wild.

The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

Oracle has released security updates to address a critical vulnerability in the Oracle Payments file transmission component within Oracle E-Business Suite. Successful exploitation could allow unauthenticated attackers to fully compromise affected systems.

CVE-2026-46817 - 'Missing Authentication / Improper Authentication / Improper Privilege Management' vulnerability - CVSSv3.1 score: 9.8

Remediation advice

Affected organisations must review Oracle May 2026 Critical Security Patch Updates and follow the remediation steps below.

Remediation steps

Type	Step
Patch	Required: Organisations must apply the latest Oracle E-Business Suite update as soon as possible. Note: Organisations running "sustaining support" or end-of-life releases of Oracle E-Business Suite must upgrade to a supported version. https://www.oracle.com/security-alerts/cspumay2026.html#AppendixEBS

Type

Step

Patch

Required: Organisations must apply the latest Oracle E-Business Suite update as soon as possible.

Note: Organisations running "sustaining support" or end-of-life releases of Oracle E-Business Suite must upgrade to a supported version.

https://www.oracle.com/security-alerts/cspumay2026.html#AppendixEBS

Definitive source of threat updates

https://www.oracle.com/security-alerts/cspumay2026.html

CVE Vulnerabilities

Status Published

CVE-2026-46817

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Last edited: 29 June 2026 4:27 pm