Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS endpoint (AV:N), requires a valid low-privileged EBS account (PR:L), non-trivial preconditions for success (AC:H), no user interaction, and full takeover of the UWQ module (C:H/I:H/A:H, S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the Work Provider Site Level Administration component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the module. Oracle classifies the issue as difficult to exploit (AC:H), and no public exploit identified at time of analysis. The flaw was disclosed in the Oracle Critical Patch Update of June 2026.
Technical ContextAI
Oracle Universal Work Queue (UWQ) is an E-Business Suite module that dispatches and routes work items (service requests, leads, tasks) to CRM/ERP users, integrating with components such as TeleService, Sales, and Service Contracts. The vulnerable surface is the Work Provider Site Level Administration interface, an HTTP-accessible administration function used to register and configure work providers at the site level. No CWE was assigned, but the combination of a high-complexity, low-privileged HTTP path leading to full takeover of the module is consistent with an authenticated logic or injection flaw in the administrative endpoint rather than a memory-corruption bug. The single affected CPE (oracle_universal_work_queue) and the 12.2.3-12.2.15 range cover the entire currently supported EBS 12.2 release train.
RemediationAI
Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 fixes for E-Business Suite 12.2.3-12.2.15 as documented at https://www.oracle.com/security-alerts/cspujun2026.html, using the specific UWQ patch identifiers listed in the CPU patch availability matrix for your EBS release. Until the CPU can be applied, compensating controls include restricting network reach to the EBS HTTP tier (place the application behind a VPN or IP-allowlisted reverse proxy so only trusted operator subnets can reach /OA_HTML/ URLs), revoking the UWQ administration responsibility from non-administrative users in FND so low-privileged accounts cannot reach Work Provider Site Level Administration, and enabling WAF/URL-firewall rules to log and rate-limit requests to UWQ administration paths - note that tightening responsibilities may disrupt legitimate work-routing administrators, and front-end ACLs will not protect against malicious insiders already on the corporate network.
More in Oracle Universal Work Queue
View allPrivilege escalation and full takeover of Oracle Universal Work Queue (component: Work Provider Site Level Administratio
Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged
Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37277