Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46930

CVE-2026-46930: Oracle In-Memory Cost Management Auth Bypass

CVE-2026-46930 is an authentication bypass vulnerability in Oracle In-Memory Cost Management for Discrete Industries that allows unauthenticated attackers to access and modify critical data via HTTPS. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-46930 Overview

CVE-2026-46930 is an improper access control vulnerability [CWE-284] in the Internal Operations component of Oracle In-Memory Cost Management for Discrete Industries, part of Oracle E-Business Suite. The flaw affects supported versions 12.2.12 through 12.2.15. An unauthenticated remote attacker with network access via HTTPS can exploit the issue without user interaction. Successful exploitation results in unauthorized creation, deletion, or modification of critical data and full read access to all data accessible to the product. Oracle disclosed the issue in the June 2026 Critical Security Patch Update.

Critical Impact

An unauthenticated network attacker can read and modify all data accessible to Oracle In-Memory Cost Management for Discrete Industries, compromising confidentiality and integrity of E-Business Suite financial costing data.

Affected Products

  • Oracle In-Memory Cost Management for Discrete Industries 12.2.12
  • Oracle In-Memory Cost Management for Discrete Industries 12.2.13, 12.2.14
  • Oracle In-Memory Cost Management for Discrete Industries 12.2.15

Discovery Timeline

  • 2026-06-17 - CVE-2026-46930 published to NVD following Oracle's June 2026 Critical Patch Update
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-46930

Vulnerability Analysis

The vulnerability resides in the Internal Operations component of Oracle In-Memory Cost Management for Discrete Industries. The component fails to enforce proper access control on HTTPS-exposed functionality, allowing a remote attacker to interact with privileged operations without authentication. Successful exploitation grants both read and write access to all data the product can reach, including item cost data, cost workbenches, and related financial records used by manufacturing organizations.

The issue is classified under CWE-284: Improper Access Control. Because the attack requires no privileges and no user interaction, automated mass exploitation is feasible once a working request is known.

Root Cause

The root cause is missing or inadequate authorization enforcement on network-reachable endpoints in the Internal Operations component. Oracle has not published implementation-level details. The CWE-284 mapping indicates the product accepts requests that should be restricted to authenticated, authorized principals.

Attack Vector

The attack vector is network-based via HTTPS against an exposed Oracle E-Business Suite instance running an affected version of In-Memory Cost Management for Discrete Industries. The attacker sends crafted HTTPS requests directly to the vulnerable component without supplying credentials. Because Oracle E-Business Suite deployments often surface modules through a shared web tier, any internet-exposed or partner-network-reachable EBS environment expands the attack surface. The EPSS score is 0.377% with a percentile of 29.357 as of 2026-06-18, but exposure risk remains high given the unauthenticated nature of the flaw.

No verified public proof-of-concept code is available. See the Oracle Security Alert June 2026 for vendor-published details.

Detection Methods for CVE-2026-46930

Indicators of Compromise

  • Unexpected HTTPS requests to Oracle E-Business Suite endpoints associated with In-Memory Cost Management modules originating from unauthenticated sessions.
  • Unexplained creation, modification, or deletion of cost management records, item cost data, or related workbench entries.
  • Anomalous outbound data transfers from the EBS application tier following inbound HTTPS traffic from unfamiliar source addresses.
  • Web server access logs showing successful HTTP 200 responses to costing-related URIs without a corresponding authenticated session cookie.

Detection Strategies

  • Inventory all Oracle E-Business Suite 12.2.12–12.2.15 deployments and confirm which expose the In-Memory Cost Management module to untrusted networks.
  • Inspect Oracle HTTP Server and reverse-proxy logs for requests to costing servlets and JSP endpoints lacking valid session tokens.
  • Audit database tables backing Oracle Cost Management for record changes that do not correlate to authenticated EBS user activity.
  • Correlate WAF telemetry with EBS application logs to surface unauthenticated request patterns targeting Internal Operations endpoints.

Monitoring Recommendations

  • Enable verbose access logging on the Oracle HTTP Server tier and forward logs to a centralized SIEM for retention and analysis.
  • Alert on HTTP requests to EBS costing endpoints from source addresses outside expected administrative or integration ranges.
  • Monitor database audit trails on Cost Management schemas for INSERT, UPDATE, and DELETE operations executed by application service accounts at unusual times or volumes.

How to Mitigate CVE-2026-46930

Immediate Actions Required

  • Apply the patches referenced in the Oracle Security Alert June 2026 to all Oracle E-Business Suite 12.2.12–12.2.15 instances.
  • Restrict network exposure of the EBS application tier so In-Memory Cost Management endpoints are not reachable from the public internet.
  • Review Cost Management data for unauthorized modifications dating back to before patch deployment.
  • Rotate credentials and integration tokens used by the EBS application tier if compromise is suspected.

Patch Information

Oracle released the fix as part of the June 2026 Critical Patch Update. Customers running supported versions 12.2.12 through 12.2.15 must apply the relevant patch bundle. Refer to the Oracle Security Alert June 2026 for patch identifiers, prerequisites, and deployment instructions specific to each version.

Workarounds

  • Place a web application firewall in front of the EBS application tier and block unauthenticated requests to In-Memory Cost Management URIs until patching completes.
  • Limit HTTPS access to the EBS environment by source IP allowlist, restricting access to known administrative and integration networks.
  • Disable the In-Memory Cost Management for Discrete Industries module on instances that do not require it, following Oracle-supported deactivation procedures.
bash
# Example: restrict EBS HTTPS access at the network edge to a known admin CIDR
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne