Description
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).
Published: 2026-04-21
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification and Partial Denial of Service
Action: Patch
AI Analysis

Impact

Oracle Workflow contains an authorization bypass in its Workflow Loader component that allows an attacker who already has high privileges to perform unauthorized insert, update or delete operations on Workflow data and to trigger a partial denial of service. This flaw directly impacts the integrity and availability of Oracle Workflow accessible data, while the confidentiality impact is limited. Based on the description, the vulnerability requires the attacker to reach the system via HTTP and to hold high‑level credentials on the host.

Affected Systems

Oracle Corporation’s Oracle Workflow product, part of Oracle E‑Business Suite, is affected in the versions spanning 12.2.3 through 12.2.15. The flaw is located in the Workflow Loader component of these releases. Systems running these versions should verify the installation of the loader module.

Risk and Exploitability

The CVSS 3.1 base score of 5.5 indicates moderate severity with low to moderate impact on integrity and availability. The EPSS score is less than 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending crafted HTTP requests to the Workflow Loader endpoint when they already possess high‑privilege access. The likely attack vector is network access via the exposed HTTP interface, and the risk is bounded by the prerequisite of high privileges.

Generated by OpenCVE AI on April 28, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle CPU Apr 2026 patch for Oracle Workflow (versions 12.2.3-12.2.15) to fix the authorization bypass in the Workflow Loader component.
  • Restrict direct HTTP access to the Workflow Loader service by implementing firewall rules or VPN restrictions so that only trusted hosts can reach the endpoint.
  • Disable or limit the use of the Workflow Loader feature if it is not essential, and re‑configure it to run under a least‑privilege account whenever possible.

Generated by OpenCVE AI on April 28, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Oracle Workflow Authorization Bypass Enables Unauthorized Data Modification and Partial Denial of Service

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in Oracle Workflow Loader Enables Data Tampering and Partial Denial of Service
Weaknesses CWE-285

Thu, 23 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in Oracle Workflow Loader Enables Data Tampering and Partial Denial of Service
Weaknesses CWE-285

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in Oracle Workflow Allows Unauthorized Data Modification and Partial Denial of Service
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in Oracle Workflow Allows Unauthorized Data Modification and Partial Denial of Service
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).
First Time appeared Oracle
Oracle workflow
CPEs cpe:2.3:a:oracle:workflow:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle workflow
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Oracle Workflow
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:29:13.870Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34302

cve-icon Vulnrichment

Updated: 2026-04-22T13:28:42.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:35.410

Modified: 2026-04-24T14:27:43.083

Link: CVE-2026-34302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses