Skip to main content

Oracle Universal Work Queue EUVDEUVD-2026-37277

| CVE-2026-46966 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS endpoint (AV:N), requires a valid low-privileged EBS account (PR:L), non-trivial preconditions for success (AC:H), no user interaction, and full takeover of the UWQ module (C:H/I:H/A:H, S:U).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:48 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the Work Provider Site Level Administration component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the module. Oracle classifies the issue as difficult to exploit (AC:H), and no public exploit identified at time of analysis. The flaw was disclosed in the Oracle Critical Patch Update of June 2026.

Technical ContextAI

Oracle Universal Work Queue (UWQ) is an E-Business Suite module that dispatches and routes work items (service requests, leads, tasks) to CRM/ERP users, integrating with components such as TeleService, Sales, and Service Contracts. The vulnerable surface is the Work Provider Site Level Administration interface, an HTTP-accessible administration function used to register and configure work providers at the site level. No CWE was assigned, but the combination of a high-complexity, low-privileged HTTP path leading to full takeover of the module is consistent with an authenticated logic or injection flaw in the administrative endpoint rather than a memory-corruption bug. The single affected CPE (oracle_universal_work_queue) and the 12.2.3-12.2.15 range cover the entire currently supported EBS 12.2 release train.

RemediationAI

Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 fixes for E-Business Suite 12.2.3-12.2.15 as documented at https://www.oracle.com/security-alerts/cspujun2026.html, using the specific UWQ patch identifiers listed in the CPU patch availability matrix for your EBS release. Until the CPU can be applied, compensating controls include restricting network reach to the EBS HTTP tier (place the application behind a VPN or IP-allowlisted reverse proxy so only trusted operator subnets can reach /OA_HTML/ URLs), revoking the UWQ administration responsibility from non-administrative users in FND so low-privileged accounts cannot reach Work Provider Site Level Administration, and enabling WAF/URL-firewall rules to log and rate-limit requests to UWQ administration paths - note that tightening responsibilities may disrupt legitimate work-routing administrators, and front-end ACLs will not protect against malicious insiders already on the corporate network.

Share

EUVD-2026-37277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy