CVE-2026-46819 (CVSS 9.1) — Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploit

A critical vulnerability, CVE-2026-46819, has been published with a CVSS score of 9.1, affecting the Oracle Internet Procurement Connector within Oracle E-Business Suite. The flaw resides in the Internal Operations component and impacts all supported versions from 12.2.3 through 12.2.15. The vulnerability is described as easily exploitable, meaning it requires low complexity and no authentication to potentially compromise the system, posing a severe risk to data confidentiality, integrity, and availability.

Organizations most affected are those using Oracle E-Business Suite for procurement and supply chain operations, particularly in sectors such as manufacturing, retail, financial services, and public sector entities across the EU. Any company relying on the Internet Procurement Connector for supplier collaboration or internal purchasing workflows should treat this as a high-priority security incident. Given the ease of exploitation, unpatched systems are at immediate risk of unauthorized access or data breach.

Compliance teams should immediately verify whether their Oracle E-Business Suite instances fall within the affected version range. The next step is to apply the relevant Oracle Critical Patch Update (CPU) as soon as it becomes available, or implement vendor-provided workarounds if patching is delayed. Additionally, teams should review access logs for any signs of compromise and ensure that any compensating controls, such as network segmentation or strict firewall rules, are in place to limit exposure until the patch is applied.