Description
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits an attacker who can reach the Oracle Universal Work Queue over HTTP to compromise the system. The description of the vulnerability indicates that an attacker who succeeds might take control of the queue service, which would compromise confidentiality, integrity, and availability. It is inferred that successful exploitation could lead to a full takeover of the service.

Affected Systems

Oracle Universal Work Queue, version 12.2.3 through 12.2.15, component Work Provider Site Level Administration. The attack can be performed by a low‑privileged network user who sends crafted HTTP requests to the exposed Work Queue service.

Risk and Exploitability

The overall CVSS score is 7.5, representing high severity. The EPSS score is less than 1%, indicating a low exploitation probability in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack is remote and the impact is complete takeover, it remains a significant risk for exposed network assets. Attackers would need to target an internet‑reachable Oracle Universal Work Queue instance; the lack of high prerequisites makes exploitation plausible if a suitable target is found. The description implies that a successful attack could lead to full takeover.

Generated by OpenCVE AI on June 18, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for Universal Work Queue (12.2.3‑12.2.15) as issued by Oracle.
  • Restrict HTTP access to the Work Queue by placing it behind an internal firewall or VPN, limiting access to trusted IP addresses.
  • Enforce strict access control so that only privileged administrators can use the Work Provider Site Level Administration interface; disable or remove unused administrative features if possible.
  • Monitor Oracle’s security advisories for additional mitigations or follow‑up updates.

Generated by OpenCVE AI on June 18, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Low-Privilege Network Exploitable Vulnerability in Oracle Universal Work Queue

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege Network Exploitable Vulnerability in Oracle Universal Work Queue
Weaknesses CWE-269
CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle universal Work Queue
CPEs cpe:2.3:a:oracle:universal_work_queue:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle universal Work Queue
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Universal Work Queue
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T17:28:30.324Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46966

cve-icon Vulnrichment

Updated: 2026-06-17T17:27:16.428Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function