CVE-2026-46824: Critical Oracle E-Business Suite Universal Work Queue Takeover

"A critical (CVSS 9.9) vulnerability in Oracle E-Business Suite's Universal Work Queue component allows a low-privileged, network-based attacker to take over the product and pivot into additional Oracle products through…"

A critical (CVSS 9.9) vulnerability in Oracle E-Business Suite's Universal Work Queue component allows a low-privileged, network-based attacker to take over the product and pivot into additional Oracle products through a scope change.

What Is It

CVE-2026-46824 is a critical vulnerability in the Work Provider Site Level Administration component of Oracle Universal Work Queue, part of Oracle E-Business Suite. According to Oracle, the flaw is "easily exploitable" by a low-privileged attacker with network access via HTTP, requires no user interaction, and results in full takeover of Universal Work Queue. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects a scope change, meaning successful exploitation can significantly impact components beyond the vulnerable product itself.

Why It Matters

The 9.9 base score is driven by network exploitability, low privilege requirement, no user interaction, and high impact across confidentiality, integrity, and availability, combined with a changed scope. Oracle E-Business Suite typically backstops core financial, HR, procurement, and supply chain operations for large enterprises and public sector tenants, so a takeover with downstream blast radius is meaningful operationally. The "low privileges required" bar means any authenticated foothold, including low-tier business users; is enough to launch the attack.

What's Vulnerable

Product: Oracle Universal Work Queue (within Oracle E-Business Suite)
Component: Work Provider Site Level Administration
Affected versions: 12.2.3 through 12.2.15
Attack vector: Network / HTTP
Privileges required: Low
User interaction: None
Scope: Changed (impact extends to additional products)

Patch Status

Oracle published this CVE on 2026-05-28 as part of its May 2026 Critical Patch Update advisory (cspumay2026). Administrators running affected E-Business Suite 12.2.3–12.2.15 deployments should apply the May 2026 CPU as the primary remediation. No public KEV listing has been supplied with this record, so there is no confirmed CISA-tracked in-the-wild exploitation at the time of publication, but the "easily exploitable" classification and low privilege bar warrant prompt patching regardless.

Sources

Oracle Critical Patch Update Advisory; May 2026: https://www.oracle.com/security-alerts/cspumay2026.html
NVD entry for CVE-2026-46824: https://nvd.nist.gov/vuln/detail/CVE-2026-46824