Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37274

| CVE-2026-46963 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

HTTP-reachable EBS endpoint (AV:N), Oracle states easily exploitable (AC:L), requires a low-tier EBS account (PR:L), no user interaction, and scope change with full CIA impact on linked modules.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:50 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component via HTTP, with a scope change that can significantly impact other connected products. The CVSS 3.1 base score of 9.9 reflects high confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis. Authenticated EBS users - including low-tier business users - should be treated as potential threat actors against this surface.

Technical ContextAI

Oracle Universal Work Queue (UWQ) is an Oracle E-Business Suite component that distributes and routes work items (tasks, service requests, sales leads, etc.) to back-office and CRM users. The vulnerable surface is the Work Provider Site Level Administration component, which manages how work-provider configurations are bound to operating units and sites. Per the CPE (cpe:2.3:a:oracle_corporation:oracle_universal_work_queue), the affected code ships as part of the EBS 12.2 application tier and is reachable over the standard EBS HTTP listener. No CWE was assigned by Oracle, but the combination of low-privilege HTTP exploitation, full CIA impact, and an explicit scope change is consistent with an authorization or trust-boundary flaw - most commonly improper access control or unsafe deserialization/parameter handling in an EBS servlet that lets a low-tier session act on or as a higher-privileged context.

RemediationAI

Apply the patch available per vendor advisory in the Oracle Critical Patch Update - June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); the specific CPU patch number for Universal Work Queue 12.2.3-12.2.15 should be selected per the matrix in that advisory, as Oracle does not publish standalone fix versions for EBS components. Until the CPU is applied, compensating controls include restricting network reach to the EBS application tier so the Universal Work Queue servlets are only accessible from trusted internal networks or via VPN (side effect: breaks remote employee/partner access to UWQ-routed work), tightening EBS responsibility assignments so low-privileged users cannot reach Work Provider Site Level Administration functions (side effect: may disrupt legitimate task routing for affected roles), and enabling enhanced WAF/HTTP request logging on the EBS Oracle HTTP Server for UWQ URIs to detect anomalous parameter manipulation (side effect: increased log volume). Do not rely on these workarounds long-term - the scope-change nature of the flaw means a successful exploit can pivot beyond UWQ even if UWQ itself is rarely used.

Share

EUVD-2026-37274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy