Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46967

CVE-2026-46967: Oracle Public Sector Financials Auth Bypass

CVE-2026-46967 is an authentication bypass vulnerability in Oracle Public Sector Financials that enables system takeover with a CVSS score of 8.8. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-46967 Overview

CVE-2026-46967 is an authorization vulnerability [CWE-284] in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite. The flaw resides in the Authorization component and affects supported versions 12.2.3 through 12.2.15. A low-privileged attacker with network access over HTTP can exploit this issue without user interaction. Successful exploitation can result in full takeover of the Oracle Public Sector Financials (International) instance, impacting confidentiality, integrity, and availability. Oracle addressed the vulnerability in its June 2026 Critical Patch Update Security Alert.

Critical Impact

A network-accessible attacker holding only low-level credentials can compromise the application and take it over, exposing finance data and disrupting operations.

Affected Products

  • Oracle Public Sector Financials (International) 12.2.3
  • Oracle Public Sector Financials (International) versions 12.2.4 through 12.2.14
  • Oracle Public Sector Financials (International) 12.2.15

Discovery Timeline

  • 2026-06-17 - CVE-2026-46967 published to the National Vulnerability Database
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-46967

Vulnerability Analysis

The vulnerability sits in the Authorization component of Oracle Public Sector Financials (International), part of the broader Oracle E-Business Suite. The product enforces access decisions that determine which finance and reporting actions an authenticated user can perform. CVE-2026-46967 weakens these checks, allowing an attacker who already holds a low-privileged account to perform actions reserved for higher-privileged roles.

Oracle classifies the issue as easily exploitable over the network via HTTP. No user interaction is required, and the attacker does not need administrative credentials. The end result described by Oracle is takeover of the affected Public Sector Financials (International) deployment, with confidentiality, integrity, and availability all impacted.

Enterprises running Oracle E-Business Suite typically expose application tiers to internal users and, in some deployments, to partners over web channels. That exposure expands the realistic attack surface for this authorization flaw.

Root Cause

The root cause maps to CWE-284: Improper Access Control. Authorization logic in the affected component does not correctly restrict actions to the intended privilege level, letting a low-privileged session reach functionality it should not. Specific vulnerable code paths have not been disclosed by Oracle.

Attack Vector

The attack vector is network-based over HTTP against the Oracle E-Business Suite application tier. The attacker authenticates with a low-privileged account, then issues crafted requests to the Public Sector Financials (International) module. Because the scope is unchanged and impacts are high across confidentiality, integrity, and availability, a successful request can lead to full module takeover.

No public proof-of-concept exploit or CISA KEV listing is associated with CVE-2026-46967 at the time of publication. Refer to the Oracle Security Alert for vendor-supplied technical context.

Detection Methods for CVE-2026-46967

Indicators of Compromise

  • Unexpected privileged actions in Oracle E-Business Suite audit tables originating from low-privileged user accounts.
  • HTTP requests to Public Sector Financials (International) endpoints that bypass standard menu navigation or referrer paths.
  • Sudden changes to financial configuration, supplier records, or reporting jobs without a corresponding change ticket.

Detection Strategies

  • Enable and review Oracle E-Business Suite Sign-On Audit and Page Access Tracking for the Public Sector Financials (International) responsibilities.
  • Baseline normal HTTP request patterns against the OA_HTML and related application endpoints, then alert on deviations from low-privileged sessions.
  • Correlate web tier access logs with database audit records to identify privilege mismatches between session role and executed operations.

Monitoring Recommendations

  • Forward Oracle E-Business Suite application, database, and web tier logs into a centralized SIEM for cross-source correlation.
  • Monitor for new or modified responsibilities, menus, and function grants assigned to non-administrative users.
  • Alert on bulk read or export activity from Public Sector Financials (International) tables outside business hours.

How to Mitigate CVE-2026-46967

Immediate Actions Required

  • Apply the fixes from the Oracle June 2026 Critical Patch Update Security Alert to all affected Oracle E-Business Suite environments.
  • Inventory Oracle Public Sector Financials (International) deployments running versions 12.2.3 through 12.2.15 and prioritize them for patching.
  • Review and tighten low-privileged account assignments, removing dormant or unnecessary E-Business Suite logins.
  • Restrict network access to the Oracle E-Business Suite application tier to known internal ranges and authenticated VPN users.

Patch Information

Oracle published fixes for CVE-2026-46967 as part of the June 2026 Critical Patch Update Security Alert. Customers should consult the Oracle Security Alert for the specific patch identifiers that map to their Oracle E-Business Suite 12.2 deployment and apply them through the standard adop patching workflow.

Workarounds

  • Place the Oracle E-Business Suite application tier behind a web application firewall and block direct internet exposure of Public Sector Financials (International) endpoints.
  • Temporarily reduce the responsibilities granted to low-privileged users until patches are applied, focusing on Public Sector Financials (International) functions.
  • Increase database and application audit verbosity to capture authorization decisions while remediation is in progress.
bash
# Configuration example
# Verify Oracle E-Business Suite patch level after applying the June 2026 CPU
source $APPL_TOP/APPS<CONTEXT_NAME>.env
adop -status
sqlplus apps/<password> <<EOF
SELECT bug_number, last_update_date
  FROM ad_bugs
 WHERE bug_number IN ('<JUN2026_CPU_BUG_ID>')
 ORDER BY last_update_date DESC;
EOF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne