CISA has added CVE‑2026‑46817 to its Known Exploited Vulnerabilities catalogue, affecting Oracle’s E‑Business Suite. The vulnerability, named Oracle E‑Business Suite Improper Privilege Management Vulnerability, allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments and potentially take over the component.
The flaw is an improper privilege management issue that can be exploited remotely without authentication. Successful exploitation impacts the confidentiality, integrity and availability of Oracle Payments, leading to a full takeover. The Common Vulnerability Scoring System assigns a base score of 9.8, rating the issue as critical. Oracle has released a patch, which is available through the May 2026 Critical Patch Update advisory.
Active exploitation of this vulnerability has been confirmed, which is the basis for its inclusion in the KEV catalogue. No known ransomware campaign has been linked to the flaw at this time. CISA has set a remediation deadline of 18 July 2026 for federal agencies to apply the required mitigations.
Federal Civilian Executive Branch agencies must apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines. All organisations should review their exposure to Oracle E‑Business Suite and apply the patch or mitigations as soon as practicable.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-46817 and the CISA KEV catalogue.