Skip to main content

Oracle E-Business Suite CVE-2026-46824

| EUVDEUVD-2026-33047 CRITICAL
Improper Privilege Management (CWE-269)
2026-05-28 oracle GHSA-r732-c3p5-72x5
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:24 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.

Technical ContextAI

Oracle Universal Work Queue (UWQ) is a task-routing and assignment engine inside Oracle E-Business Suite (EBS) that distributes work items (service requests, leads, collections tasks) to agents across CRM and ERP modules. The affected component, Work Provider Site Level Administration, governs how external 'work providers' are registered and configured per site, which is a privileged administrative surface accessible through the EBS HTTP application stack (Oracle Application Server / WebLogic-fronted Forms and OA Framework pages). The CWE is not assigned by Oracle, but the CVSS scope-change (S:C) combined with low-privileged HTTP access strongly suggests an authorization or input-handling weakness in a site-administration endpoint that authorizes actions against shared EBS infrastructure such as FND security or AOL session context. Affected CPE is cpe:2.3:a:oracle_corporation:oracle_universal_work_queue across all listed versions of the 12.2 train.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html; Oracle distributes UWQ fixes as patch sets layered on EBS 12.2 - locate the CPU-specific patch for your installed 12.2.x level (12.2.3 through 12.2.15) and apply via adop. Patch available per vendor advisory; the input does not enumerate an exact fix version, so administrators should pull the exact CPU patch number from My Oracle Support that maps to CVE-2026-46824. As an interim compensating control, restrict HTTP access to the Universal Work Queue administration URLs (e.g., the OA_HTML / OA.jsp paths that load the Work Provider Site Level Administration function) to trusted internal network ranges via a reverse proxy or WAF rule, and audit FND_USER accounts holding UWQ responsibilities to remove unnecessary low-privileged accounts - the trade-off is that legitimate remote agents and partners using those flows will be blocked until allowlisted. Disabling the Work Provider Site Level Administration menu through Function Security exclusions removes the attack surface but breaks legitimate work-provider configuration changes until the patch is applied.

Share

CVE-2026-46824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy