Description
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-05-28
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical flaw in Oracle Universal Work Queue allows an attacker who only has low privileges but network access via HTTP to compromise the system. The exploit can elevate privileges enough to take over the Work Queue, leading to full loss of confidentiality, integrity, and availability for the affected environment. The CVSS 3.1 score of 9.9 reflects the potential for complete takeover.

Affected Systems

Oracle Universal Work Queue versions 12.2.3 through 12.2.15 are impacted. The vulnerability resides in the Work Provider Site Level Administration component of Oracle E-Business Suite and implies that an attacker can affect Oracle Universal Work Queue directly and potentially compromise other related products, as the scope is a change.

Risk and Exploitability

The vulnerability is highly exploitable: an attacker simply needs network accessibility to the Work Queue service over HTTP and can employ a low-privilege account to trigger the exploit. The EPSS score of 0.00042 indicates a very low probability of exploitation, but the 9.9 severity and lack of KEV listing do not diminish the urgency, as the flaw grants complete control over the affected system. This represents a critical risk that requires immediate remediation.

Generated by OpenCVE AI on May 29, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch or upgrade to a version that addresses CVE‑2026‑46824
  • Restrict HTTP access to Oracle Universal Work Queue so only trusted hosts can reach the service
  • Limit the Work Provider Site Level Administration interface for low‑privileged users until a fix is applied
  • Monitor traffic and logs for abnormal HTTP requests targeting the Work Queue

Generated by OpenCVE AI on May 29, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Low-Privilege Remote Exploitation in Oracle Universal Work Queue
Weaknesses CWE-285

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege Remote Exploitation in Oracle Universal Work Queue
Weaknesses CWE-284
CWE-285

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle universal Work Queue
CPEs cpe:2.3:a:oracle:universal_work_queue:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle universal Work Queue
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Universal Work Queue
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:44:03.712Z

Reserved: 2026-05-18T15:55:10.303Z

Link: CVE-2026-46824

cve-icon Vulnrichment

Updated: 2026-05-29T15:43:59.769Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T21:16:32.413

Modified: 2026-05-29T16:16:29.693

Link: CVE-2026-46824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses