Description
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits an attacker who can reach the Oracle Universal Work Queue over HTTP to compromise the system. The flaw is exploitable by a low‑privileged user and can lead to full takeover of the queue service, affecting confidentiality, integrity, and availability. The CVSS vector indicates confidentiality, integrity, and availability impacts at the scope of the application.

Affected Systems

Oracle Universal Work Queue, version 12.2.3 through 12.2.15, component Work Provider Site Level Administration. The attack can be performed by a low‑privileged network user who sends crafted HTTP requests to the exposed Work Queue service.

Risk and Exploitability

The overall CVSS score is 7.5, representing high severity. The EPSS score is less than 1%, indicating a low exploitation probability in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack is remote and the impact is complete takeover, it remains a significant risk for exposed network assets. Attackers would need to target an internet‑reachable Oracle Universal Work Queue instance; the lack of high prerequisites makes exploitation plausible if a suitable target is found.

Generated by OpenCVE AI on June 17, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for Universal Work Queue (12.2.3‑12.2.15) as issued by Oracle.
  • Restrict HTTP access to the Work Queue by placing it behind an internal firewall or VPN, limiting access to trusted IP addresses.
  • Enforce strict access control so that only privileged administrators can use the Work Provider Site Level Administration interface; disable or remove unused administrative features if possible.
  • Monitor Oracle’s security advisories for additional mitigations or follow‑up updates.

Generated by OpenCVE AI on June 17, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle universal Work Queue
CPEs cpe:2.3:a:oracle:universal_work_queue:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle universal Work Queue
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Universal Work Queue
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T17:28:30.324Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46966

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T04:00:02Z

Weaknesses

No weakness.