Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Unauthenticated Remote Takeover in Oracle E-Business Suite Oracle Payments File Transmission

IdentifiersCVE-2026-46817CWE-306· Missing Authentication for…

CVE-2026-46817 is a critical vulnerability in the File Transmission component of Oracle Payments within Oracle E-Business Suite. Oracle states that supported versions 12.2.3 through 12.2.15 are affected. The flaw is remotely exploitable over HTTP by an unauthenticated attacker, requires low attack complexity, and does not require user interaction. Successful exploitation can result in takeover of Oracle Payments. Reporting on observed exploitation indicates attacks targeted the /OA_HTML/ibytransmit endpoint with crafted XML DeliveryRequest payloads, including use of the CODEX_PULL transmission scheme and a FULL_FILE_PATH value of /etc/passwd, suggesting the exploit path may involve arbitrary file access or a path traversal/local file read condition in the file transmission workflow. Oracle has not publicly provided sufficient technical detail in the supplied content to definitively map the root cause to a specific vulnerable function or class.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to full compromise of the Oracle Payments application, with high impact to confidentiality, integrity, and availability as reflected in the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In practical terms, this is described as takeover of Oracle Payments by an unauthenticated remote attacker. Observed exploitation activity indicates the flaw is being used in the wild against internet-exposed systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the Oracle E-Business Suite HTTP interface, especially external access to Oracle Payments and the /OA_HTML/ibytransmit endpoint, using network ACLs, reverse proxy restrictions, VPN gating, or temporary isolation from untrusted networks. Increase monitoring for POST requests to /OA_HTML/ibytransmit, anomalous XML payloads, references to CODEX_PULL, and attempts to access filesystem paths such as /etc/passwd. These measures are only temporary risk reductions and do not eliminate the underlying vulnerability.

Remediation

Patch, then assume compromise.

Apply Oracle's May 2026 Critical Patch Update addressing CVE-2026-46817 for Oracle E-Business Suite Oracle Payments. Upgrade or patch affected Oracle E-Business Suite deployments running versions 12.2.3 through 12.2.15 in accordance with Oracle's advisory and validate that the File Transmission component is updated to the vendor-fixed level. Because exploitation has been observed in the wild, organizations should also review logs and host/application telemetry for prior compromise, especially requests to /OA_HTML/ibytransmit and suspicious XML DeliveryRequest payloads.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OracleE-Business Suiteapplication
OraclePaymentsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
cyber security newsNews
Jun 29, 2026
Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks - Cyber Security News

A critical unauthenticated remote takeover vulnerability in Oracle Payments within Oracle E-Business Suite, specifically the File Transmission component, allowing network-based HTTP attackers to fully compromise the affected system.

Read more
bleeping computerNews
Jun 29, 2026
Hackers now exploit critical Oracle E-Business flaw in attacks

A critical unauthenticated takeover vulnerability in the File Transmission component of Oracle E-Business Suite Oracle Payments, allowing low-complexity attacks over HTTP network access.

Read more
security online infoNews
May 29, 2026
Oracle Security Patch Updates: Critical Vulnerabilities

A critical vulnerability in Oracle E-Business Suite affecting payment-related functionality that allows unauthenticated compromise and potential full system takeover.

Read more
cvefeed high severityNews
May 28, 2026
CVE-2026-46817 - Vulnerability in the Oracle Payments product of Or

A critical unauthenticated network-exploitable vulnerability in Oracle Payments within Oracle E-Business Suite (File Transmission component) that can allow full compromise/takeover of the affected Oracle Payments instance.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity20

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-46817
NVD
nvd.nist.gov/vuln/detail/CVE-2026-46817
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
oracle.com/security-alerts/cspumay2026.html