Description
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Work Provider Site Level Administration component of Oracle Universal Work Queue lets a low‑privileged attacker with network access exploit the system over HTTP. The vulnerability can be used to compromise Oracle Universal Work Queue, resulting in takeover with significant confidentiality, integrity, and availability impacts, as described by the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Affected Systems

Oracle Universal Work Queue, part of Oracle E‑Business Suite, is vulnerable in versions 12.2.3 through 12.2.15. Administrators should verify the version of their installation to determine exposure.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. Although the EPSS probability is lower than 1 % and the vulnerability is not listed in the CISA KEV catalog, the low‑privileged, network‑only prerequisites and lack of a user interaction requirement make exploitation straightforward for an attacker who can reach the service.

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s patch that addresses CVE-2026-46965 as soon as it becomes available.
  • Restrict HTTP access to the Work Provider Site Level Administration interface to a limited set of trusted hosts or connections via a VPN.
  • Review and enforce stricter administrative access controls, including multi‑factor authentication, and monitor the system for anomalous or unauthorized activity.

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Low‑Privilege HTTP‑Based Takeover in Oracle Universal Work Queue

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote HTTP Compromise of Oracle Universal Work Queue
Weaknesses CWE-269

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote HTTP Compromise of Oracle Universal Work Queue
Weaknesses CWE-269
CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle universal Work Queue
CPEs cpe:2.3:a:oracle:universal_work_queue:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle universal Work Queue
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Universal Work Queue
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T17:31:56.959Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46965

cve-icon Vulnrichment

Updated: 2026-06-17T17:30:35.714Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function