Skip to main content

Oracle E-Business Suite CVE-2026-46963

| EUVDEUVD-2026-37274 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

HTTP-reachable EBS endpoint (AV:N), Oracle states easily exploitable (AC:L), requires a low-tier EBS account (PR:L), no user interaction, and scope change with full CIA impact on linked modules.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:50 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component via HTTP, with a scope change that can significantly impact other connected products. The CVSS 3.1 base score of 9.9 reflects high confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach UWQ Work Provider Site admin endpoint over HTTP
Exploit
Send crafted request exploiting authorization flaw
Execution
Take over Universal Work Queue component
Persist
Pivot via scope change to linked EBS modules
Impact
Exfiltrate or tamper with cross-module business data

Vulnerability AssessmentAI

Exploitation Attacker must hold valid low-privileged credentials to the Oracle E-Business Suite instance and be able to reach the Universal Work Queue 'Work Provider Site Level Administration' HTTP endpoint on the EBS application tier; target must be running EBS 12.2.3 through 12.2.15 with the Universal Work Queue component deployed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All measurable signals point to high real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any low-privileged Oracle E-Business Suite account - for example, an internal employee with a basic self-service responsibility, or a compromised partner-portal credential - sends a crafted HTTP request to the Work Provider Site Level Administration endpoint and abuses the flaw to take over Oracle Universal Work Queue. Because of the CVSS scope change, the attacker then leverages UWQ's trust relationships to read or modify data in other EBS modules (CRM, Service, Order Management), achieving a full confidentiality, integrity, and availability compromise across linked components. …
Remediation Apply the patch available per vendor advisory in the Oracle Critical Patch Update - June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); the specific CPU patch number for Universal Work Queue 12.2.3-12.2.15 should be selected per the matrix in that advisory, as Oracle does not publish standalone fix versions for EBS components. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

**Within 24 hours:** Inventory all EBS instances running versions 12.2.3 through 12.2.15 and count authenticated users with access to Universal Work Queue. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy