CVE-2026-46961: Oracle E-Business Suite Auth Bypass Flaw

CVE-2026-46961 Overview

CVE-2026-46961 is a high-severity vulnerability in the Oracle Project Portfolio Analysis product, part of Oracle E-Business Suite. The flaw resides in the Internal Operations component and affects supported versions 12.2.3 through 12.2.15. A low-privileged attacker with network access over HTTP can exploit this weakness without user interaction. Successful exploitation results in full takeover of Oracle Project Portfolio Analysis, compromising confidentiality, integrity, and availability. The vulnerability maps to [CWE-269: Improper Privilege Management].

Critical Impact

An authenticated attacker with low privileges can take over Oracle Project Portfolio Analysis over the network via HTTP, achieving high impact across confidentiality, integrity, and availability.

Affected Products

• Oracle E-Business Suite — Oracle Project Portfolio Analysis 12.2.3
• Oracle E-Business Suite — Oracle Project Portfolio Analysis versions 12.2.4 through 12.2.14
• Oracle E-Business Suite — Oracle Project Portfolio Analysis 12.2.15

Discovery Timeline

• 2026-06-17 - CVE-2026-46961 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-46961

Vulnerability Analysis

The vulnerability exists in the Internal Operations component of Oracle Project Portfolio Analysis. Oracle classifies the issue as easily exploitable and accessible over the network using HTTP. Authentication is required, but only low-privileged credentials are needed. No user interaction is involved in the attack chain.

According to the Oracle advisory, successful exploitation results in takeover of Oracle Project Portfolio Analysis. The compromise extends across confidentiality, integrity, and availability without crossing a security scope boundary. The Exploit Prediction Scoring System (EPSS) estimates a probability of 0.389% at the 30.6th percentile, indicating no current observed exploitation activity.

Root Cause

The root cause is mapped to [CWE-269: Improper Privilege Management]. The Internal Operations component fails to enforce privilege boundaries correctly for authenticated low-privileged sessions. As a result, a user with limited application rights can escalate access and perform actions reserved for administrators of the Project Portfolio Analysis module.

Attack Vector

The attack vector is network-based via HTTP against the Oracle E-Business Suite web tier. An attacker authenticates with a low-privileged Oracle EBS account, then issues crafted requests to the Project Portfolio Analysis Internal Operations endpoints. Because the flaw requires only low privileges and no user interaction, any account holder on the EBS instance can reach the vulnerable surface.

Oracle has not published technical exploitation details. Refer to the Oracle Security Alert for vendor-provided guidance and patch references.

Detection Methods for CVE-2026-46961

Indicators of Compromise

• Unexpected privilege changes or new responsibilities assigned to low-privileged Oracle EBS user accounts.
• HTTP requests to Project Portfolio Analysis Internal Operations URLs originating from accounts that do not normally use this module.
• Anomalous administrative actions in Oracle EBS audit logs (FND_LOG_MESSAGES, sign-on audit tables) tied to low-privileged sessions.

Detection Strategies

• Enable and review Oracle E-Business Suite sign-on auditing and page-access tracking for the Project Portfolio Analysis module.
• Compare current user responsibility assignments against an approved baseline to detect unauthorized escalations.
• Correlate web tier access logs with EBS user roles to identify privilege boundary violations against Internal Operations endpoints.

Monitoring Recommendations

• Forward Oracle EBS application, database audit, and web tier logs to a centralized SIEM for retention and correlation.
• Alert on creation or modification of system administrator responsibilities outside scheduled change windows.
• Monitor authentication patterns for low-privileged accounts that suddenly access privileged modules or APIs.

How to Mitigate CVE-2026-46961

Immediate Actions Required

• Apply the patches referenced in the Oracle Security Alert for June 2026 to all affected EBS environments.
• Inventory Oracle E-Business Suite installations running versions 12.2.3 through 12.2.15 and prioritize internet-exposed instances.
• Review and prune unnecessary user accounts and responsibilities on Oracle Project Portfolio Analysis to reduce the pool of low-privileged accounts.
• Rotate credentials for any accounts that may have accessed the Project Portfolio Analysis Internal Operations component during the exposure window.

Patch Information

Oracle addresses CVE-2026-46961 in the June 2026 Critical Security Patch Update. Administrators must download the appropriate patch bundle for their EBS release from My Oracle Support and apply it following Oracle's standard EBS patching procedure. See the Oracle Security Alert for version-specific patch identifiers.

Workarounds

• Restrict network access to the EBS web tier using firewalls, reverse proxies, or VPN gating until patches are deployed.
• Disable or restrict the Project Portfolio Analysis responsibility for users who do not require access to Internal Operations functions.
• Enforce multi-factor authentication on all EBS accounts to limit the value of compromised low-privileged credentials.

# Configuration example: restrict EBS web tier access at the network edge
# (replace placeholders with values appropriate to your environment)
iptables -A INPUT -p tcp --dport 8000 -s <trusted_subnet>/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP