Skip to main content

Oracle Universal Work Queue EUVDEUVD-2026-37275

| CVE-2026-46964 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable EBS HTTP endpoint, low complexity, requires a low-privileged EBS account (PR:L), no user interaction, scope change to other EBS products, full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:49 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover of Oracle Universal Work Queue (component: Work Provider Site Level Administration) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to compromise the application with scope change extending impact to additional products. The CVSS 3.1 base score is 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged EBS account
Delivery
Reach Universal Work Queue HTTP endpoint
Exploit
Send crafted Work Provider Site Level Administration request
Install
Exploit authorization/input flaw
C2
Take over Universal Work Queue module
Execute
Pivot via scope change to other EBS products
Impact
Exfiltrate or tamper with EBS data

Vulnerability AssessmentAI

Exploitation Attacker must (1) reach the Oracle E-Business Suite HTTP middle tier hosting the Universal Work Queue module over the network and (2) hold any valid low-privileged EBS account (PR:L) able to authenticate to the Work Provider Site Level Administration component in EBS 12.2.3-12.2.15. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to this being a real priority for EBS operators: CVSS 3.1 is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) - network reachable, low complexity, only low privileges needed, no user interaction, and a scope change meaning impact extends beyond Universal Work Queue itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any low-privileged EBS account - for example a self-service or supplier-portal user reachable over the internet - sends a crafted HTTP request to the Work Provider Site Level Administration endpoint and abuses the flaw to take over the Universal Work Queue module, then pivots through the scope change to read or modify data in other EBS products such as CRM or HR. No public exploit identified at time of analysis, but the AC:L/PR:L/UI:N profile means weaponization is straightforward once details are reverse-engineered from the June 2026 CPU.
Remediation Patch available per vendor advisory: apply the fixes delivered in the Oracle Critical Patch Update - June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to every EBS 12.2.3-12.2.15 environment running Universal Work Queue; Oracle does not publish per-CVE point versions, so apply the CPU bundle rather than waiting for an isolated hotfix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Oracle E-Business Suite 12.2.3-12.2.15 and immediately restrict network access to Work Provider Site Level Administration interfaces using firewall rules limiting to administrative IP ranges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy