Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Unauthenticated Remote Takeover in Oracle E-Business Suite Oracle Payments File Transmission

IdentifiersCVE-2026-46817CWE-306· Missing Authentication for…

CVE-2026-46817 is a critical vulnerability in the File Transmission component of Oracle Payments within Oracle E-Business Suite. Oracle states that supported versions 12.2.3 through 12.2.15 are affected. The flaw is remotely exploitable over HTTP by an unauthenticated attacker, requires low attack complexity, and does not require user interaction. Successful exploitation can result in takeover of Oracle Payments. Reporting on observed exploitation indicates attacks targeted the /OA_HTML/ibytransmit endpoint with crafted XML DeliveryRequest payloads, including abuse of the CODEX_PULL transmission scheme and a FULL_FILE_PATH value of /etc/passwd, suggesting the exploit path may involve unsafe file handling, local file read, or path traversal behavior in the file transmission workflow. Oracle assigned CVSS v3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows full compromise of the Oracle Payments component, with high impact to confidentiality, integrity, and availability. In practical terms, this is described as takeover of Oracle Payments by an unauthenticated remote attacker. Based on the observed attack activity and Oracle’s scoring, exploitation may enable unauthorized access to sensitive payment-related data, manipulation of application behavior or transmitted files, and disruption or loss of service availability. Active in-the-wild exploitation has been reported.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of Oracle E-Business Suite HTTP interfaces to trusted networks only, restrict or disable external access to the Oracle Payments File Transmission endpoint where operationally feasible, and increase monitoring for suspicious POST requests to /OA_HTML/ibytransmit and crafted XML DeliveryRequest payloads, particularly those referencing CODEX_PULL or unexpected file path parameters. Review logs and host telemetry for signs of exploitation or post-compromise activity. These measures are temporary risk reductions only and do not eliminate the underlying vulnerability.

Remediation

Patch, then assume compromise.

Apply Oracle’s May 2026 Critical Patch Update addressing CVE-2026-46817. Oracle indicates affected Oracle E-Business Suite Oracle Payments versions are 12.2.3 through 12.2.15; organizations should update to the vendor-fixed version or patch level specified in Oracle’s advisory. Because exploitation has been observed in the wild, patching should be prioritized and followed by review for indicators of compromise on exposed Oracle E-Business Suite instances, especially the Oracle Payments File Transmission functionality and the /OA_HTML/ibytransmit endpoint.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OracleE-Business Suiteapplication
OraclePaymentsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
cyber security newsNews
Jun 29, 2026
Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks - Cyber Security News

A critical unauthenticated remote takeover vulnerability in Oracle Payments within Oracle E-Business Suite, specifically the File Transmission component, allowing network-based HTTP attackers to fully compromise the affected system.

Read more
bleeping computerNews
Jun 29, 2026
Hackers now exploit critical Oracle E-Business flaw in attacks

A critical unauthenticated takeover vulnerability in the File Transmission component of Oracle E-Business Suite Oracle Payments, allowing low-complexity attacks over HTTP network access.

Read more
security online infoNews
May 29, 2026
Oracle Security Patch Updates: Critical Vulnerabilities

A critical vulnerability in Oracle E-Business Suite affecting payment-related functionality that allows unauthenticated compromise and potential full system takeover.

Read more
cvefeed high severityNews
May 28, 2026
CVE-2026-46817 - Vulnerability in the Oracle Payments product of Or

A critical unauthenticated network-exploitable vulnerability in Oracle Payments within Oracle E-Business Suite (File Transmission component) that can allow full compromise/takeover of the affected Oracle Payments instance.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity20

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-46817
NVD
nvd.nist.gov/vuln/detail/CVE-2026-46817
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
oracle.com/security-alerts/cspumay2026.html