External risk intelligence

Oracle E-Business Suite In-Memory Cost Management Data Tampering Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-46930

A critical vulnerability exists in Oracle In-Memory Cost Management for Discrete Industries, allowing unauthenticated network attackers to gain unauthorized access or modify critical data. This issue could lead to unauthorized creation, deletion, or modification of data, or complete access to all accessible data within

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

The component is identified as Internal Operations within Oracle E-Business Suite. While network access via HTTPS is possible, this product is typically deployed in internal, segmented business environments rather than being designed as an internet-facing edge service or public gateway.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle's In-Memory Cost Management for Discrete Industries within Oracle E-Business Suite. This issue, which is easily exploitable by an unauthenticated attacker over the network, could allow for unauthorized modification or complete access to sensitive data within the system. The primary concern is to determine if this specific product is in use and, if so, to what extent it is exposed.

Unauthenticated network access can alter or expose critical data.
Understand if this specific Oracle component is in use.
Confirm relevance and potential exposure to sensitive data.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by accessing the Oracle In-Memory Cost Management for Discrete Industries component over a network using HTTPS. This could lead to unauthorized data manipulation or complete data access within the affected product.

Network access via HTTPS required.
Exploits Internal Operations component.
Leads to unauthorized data access/modification.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker with network access via HTTPS could compromise Oracle In-Memory Cost Management for Discrete Industries. This could lead to unauthorized creation, deletion, or modification of critical data, or complete access to all data within the affected component.

Critical data within the product.
Network access via HTTPS.
Unauthorized data modification or access.

Operational Fix

Recommended remediation, mitigation, and detection steps

Ownership of this vulnerability likely falls to the Oracle E-Business Suite administrators and the business unit application owners responsible for In-Memory Cost Management. The first critical step is to identify all instances of the affected Oracle E-Business Suite product within your environment, determine their exposure, and confirm their business criticality to prioritize remediation efforts.

Oracle E-Business Suite administrators own the issue.
Verify product deployment and network exposure.
Plan remediation based on criticality and risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-46930 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle In-Memory Cost Management allows unauthenticated network access to compromise critical data, potentially causing a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle In-Memory Cost Management for Discrete Industries?

It is a specialized module within the broader Oracle E-Business Suite ecosystem. Organizations use it to analyze and simulate product costs, providing real-time visibility into financial data for manufacturing and supply chain operations. It helps businesses model various cost scenarios to support complex decision-making processes regarding product pricing and inventory valuation.

What does CWE-284 mean for CVE-2026-46930?

CWE-284 is the weakness class for Improper Access Control. In the context of this CVE, it means the software fails to properly restrict access to its data and functionality. Because the system lacks these checks, an attacker can interact with the Internal Operations component without providing credentials, allowing them to read, change, or delete sensitive financial records stored within the application.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specifically crafted requests over a network using HTTPS to the vulnerable component. Because the system does not require authentication, the attacker does not need a username or password to initiate the request. Importantly, this issue involves accessing the Internal Operations component directly; simply viewing the broader Oracle E-Business Suite login page does not inherently trigger this specific data-handling vulnerability.

Is my system at risk if it is not on the public internet?

Halo Surface Signal notes that while this component is reachable via HTTPS, it is typically deployed in internal, segmented business environments rather than as an internet-facing gateway. However, if your internal network allows broad access to this specific component, an attacker who has gained a foothold elsewhere in your infrastructure could still potentially reach and exploit this vulnerability.

What should I do first to manage this CVE?

Your first step is to confirm whether you have the affected versions (12.2.12-12.2.15) of the In-Memory Cost Management module installed in your environment. Consult with your Oracle E-Business Suite application administrators to map where this specific component is active. Once you have identified these instances, determine their role in your business processes to prioritize which systems require immediate attention or additional network isolation.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.