CVE-2026-46963 - Vulnerability Details

Description

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker with low privileges and network access via HTTP to compromise the Oracle Universal Work Queue. Exploitation can lead to full takeover of the Work Provider Site Level Administration component, resulting in complete loss of confidentiality, integrity, and availability. The CVSS score of 9.9 indicates a severe security impact, as reflected in the vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Affected Systems

Oracle Universal Work Queue for Oracle E-Business Suite is affected. Supported versions from 12.2.3 through 12.2.15 are vulnerable. The issue resides in the Work Provider Site Level Administration component. If your environment runs any of these versions, it is impacted.

Risk and Exploitability

The EPSS score of <1% denotes a very low probability of exploitation in the wild, but the risk is still significant due to the high severity. The vulnerability is not listed in CISA KEV, so there are no known public exploit kits available yet. The likely attack vector is network-based via HTTP, and an attacker only needs low privileges to initiate the attack.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Universal Work Queue

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Universal Work Queue

95%

Version	Status	Scheme	Platform
`[12.2.3,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Oracle Universal Work Queue to the latest patch release that addresses CVE-2026-46963 (consult Oracle security advisory for the specific patch number).
Restrict HTTP access to the Work Provider Site Level Administration interface by configuring firewall or reverse proxy rules so that only trusted IP addresses can reach it.
Monitor audit logs for abnormal login or configuration changes in the Universal Work Queue, and investigate any suspicious activity promptly.

Generated by OpenCVE AI on June 17, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00447.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle universal Work Queue
CPEs		cpe:2.3:a:oracle:universal_work_queue::::::::
Vendors & Products		Oracle Oracle universal Work Queue
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Universal Work Queue

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:28:04.155Z

Updated: 2026-06-17T18:13:57.747Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46963

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T03:00:16Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object