Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
HTTP-reachable EBS endpoint (AV:N), Oracle states easily exploitable (AC:L), requires a low-tier EBS account (PR:L), no user interaction, and scope change with full CIA impact on linked modules.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component via HTTP, with a scope change that can significantly impact other connected products. The CVSS 3.1 base score of 9.9 reflects high confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis. Authenticated EBS users - including low-tier business users - should be treated as potential threat actors against this surface.
Technical ContextAI
Oracle Universal Work Queue (UWQ) is an Oracle E-Business Suite component that distributes and routes work items (tasks, service requests, sales leads, etc.) to back-office and CRM users. The vulnerable surface is the Work Provider Site Level Administration component, which manages how work-provider configurations are bound to operating units and sites. Per the CPE (cpe:2.3:a:oracle_corporation:oracle_universal_work_queue), the affected code ships as part of the EBS 12.2 application tier and is reachable over the standard EBS HTTP listener. No CWE was assigned by Oracle, but the combination of low-privilege HTTP exploitation, full CIA impact, and an explicit scope change is consistent with an authorization or trust-boundary flaw - most commonly improper access control or unsafe deserialization/parameter handling in an EBS servlet that lets a low-tier session act on or as a higher-privileged context.
RemediationAI
Apply the patch available per vendor advisory in the Oracle Critical Patch Update - June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); the specific CPU patch number for Universal Work Queue 12.2.3-12.2.15 should be selected per the matrix in that advisory, as Oracle does not publish standalone fix versions for EBS components. Until the CPU is applied, compensating controls include restricting network reach to the EBS application tier so the Universal Work Queue servlets are only accessible from trusted internal networks or via VPN (side effect: breaks remote employee/partner access to UWQ-routed work), tightening EBS responsibility assignments so low-privileged users cannot reach Work Provider Site Level Administration functions (side effect: may disrupt legitimate task routing for affected roles), and enabling enhanced WAF/HTTP request logging on the EBS Oracle HTTP Server for UWQ URIs to detect anomalous parameter manipulation (side effect: increased log volume). Do not rely on these workarounds long-term - the scope-change nature of the flaw means a successful exploit can pivot beyond UWQ even if UWQ itself is rarely used.
More in Oracle Universal Work Queue
View allPrivilege escalation and full takeover of Oracle Universal Work Queue (component: Work Provider Site Level Administratio
Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged
Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the W
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37274