CVE-2026-46817 - Oracle E-Business Suite Payments File Transmission takeover

CVE-2026-46817 + Oracle E-Business Suite Payments File Transmission takeover + Critical + 2026-05-19

One-sentence business risk

Unauthenticated HTTP access can take over Oracle Payments, putting payment files, supplier data, treasury workflows, and SOX-relevant financial controls at immediate breach risk.

Research notes

  • Root cause: the Oracle Payments File Transmission component accepts a remotely reachable HTTP path that can be abused without credentials, allowing compromise of Oracle Payments.
  • Affected versions: Oracle E-Business Suite Oracle Payments 12.2.3 through 12.2.15.
  • Fixed / safe versions: Oracle May 2026 Critical Security Patch Update for E-Business Suite, plus current post-CSPU one-off patches if Oracle Support lists them for the environment.
  • Public exploit / PoC signal: multiple threat reports on June 29-30, 2026 reported exploitation in the wild; treat internet-reachable EBS as potentially probed.
  • CVSS: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Exact vulnerable code pattern

// EBS custom extension or gateway wrapper: mirrors the risky shape.
String fileName = request.getParameter("fileName");
String paymentBatch = request.getParameter("batchId");
Path target = Paths.get(oraclePaymentsInboundDir, fileName);

// No EBS session, function-security, responsibility, or canonical path check.
paymentsFileTransmissionService.importFile(paymentBatch, target.toFile());

Fixed / mitigated code pattern

EbsSession session = ebsAuth.requireAuthenticatedSession(request);
ebsAuth.requireFunction(session, "IBY_FILE_TRANSMISSION_ADMIN");
ebsAuth.requireResponsibility(session, "Payments Manager");

String fileName = StrictInputs.fileName(request.getParameter("fileName"));
Path base = Paths.get(oraclePaymentsInboundDir).toRealPath();
Path target = base.resolve(fileName).normalize();
if (!target.startsWith(base) || !Files.isRegularFile(target)) {
    throw new SecurityException("Invalid Oracle Payments transmission file");
}

paymentsFileTransmissionService.importFile(session.actorId(), paymentBatch, target.toFile());

Oracle EBS patch and containment commands:

# On the EBS admin host, verify the environment and patch inventory.
$AD_TOP/bin/adident Header $FND_TOP/patch/115/sql/AFSCJAVS.pls || true
adop -status
opatch lsinventory | tee oracle-ebs-opatch-inventory.txt

# Apply the Oracle May 2026 CSPU/EBS patches from Oracle Support, then run validation.
adop phase=prepare
adop phase=apply patches=<oracle_may_2026_ebs_patch_numbers>
adop phase=finalize
adop phase=cutover
adop phase=cleanup

Step-by-step integration guide

  1. Inventory every Oracle E-Business Suite instance, especially internet-facing or partner-facing nodes exposing /OA_HTML/, Oracle Payments, Integrated SOA Gateway, or file transmission flows.
  2. Apply the Oracle May 2026 Critical Security Patch Update for E-Business Suite 12.2.3-12.2.15 and any Oracle Support one-off patches for CVE-2026-46817.
  3. Review custom Java, PL/SQL, servlet, reverse-proxy, and integration code around Oracle Payments file upload/transmission; add EBS session validation, function security, responsibility checks, and canonical path validation.
  4. Add regression tests that unauthenticated POST/GET requests to payment transmission routes fail with 401/403 and that authenticated users lacking the Payments responsibility cannot import or overwrite files.
  5. Deploy through an EBS maintenance window, run adop -status, verify payment batch processing, and preserve access logs for incident review.

Alternative mitigations

  • Block public access to Oracle EBS management and Oracle Payments paths at the load balancer/VPN; allow only trusted corporate, partner, and batch-network CIDRs.
  • Add WAF rules for unauthenticated requests to /OA_HTML/ paths containing iby, IBY, payment, payments, file, or transmission.
  • Temporarily disable external payment file transmission workflows until patch validation is complete.
  • Rotate Oracle Payments integration credentials, bank transmission keys, EBS application passwords, and any secrets stored on EBS nodes if exploitation is suspected.

Detection signature

id: cve-2026-46817-oracle-ebs-payments-file-transmission
source: NVD, Oracle CSPU, THN, BleepingComputer, SecurityWeek
package_or_product: "Oracle E-Business Suite Oracle Payments"
affected: "12.2.3 through 12.2.15"
fixed: "Oracle May 2026 Critical Security Patch Update and Oracle Support one-off patches"
cvss: "9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
signals:
  - 'unauthenticated HTTP request to /OA_HTML/ with (?i)(iby|payment|payments|file|transmission)'
  - "Oracle Payments import or transmission event without valid EBS user/session"
  - "new or modified payment transmission files outside approved batch windows"
  - "unexpected EBS application-tier process spawning shell, curl, wget, perl, python, or sqlplus"
action: "patch EBS, restrict Oracle Payments exposure, rotate payment integration secrets, and hunt historical requests"

Copy-paste skill

You are remediating CVE-2026-46817 in an Oracle E-Business Suite environment.

Produce a reviewer-ready patch or TRIAGE.md. Inventory every EBS 12.2.3-12.2.15 instance and every custom Oracle Payments/File Transmission integration. Apply the Oracle May 2026 CSPU and any Oracle Support one-off patch for CVE-2026-46817. Block unauthenticated or public access to Oracle Payments file transmission paths, add EBS session/function/responsibility checks in custom wrappers, canonicalize all file paths, and add tests proving unauthenticated and underprivileged requests fail. Preserve access logs and rotate payment integration credentials if the endpoint was reachable.

Keywords, affected tech stack, and revenue tags

  • Keywords: CVE-2026-46817, oracle-payments, oracle-ebs, authentication-bypass, active-exploitation.
  • Affected tech stack: oracle-ebs/java, oracle-payments, enterprise-erp.
  • Revenue tags: sellable_to_fintech, enterprise_blocker, zero_day_gold.

References