CVE-2026-46824: Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration)
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
HarborGuard Analysis
HarborGuard analysisSynopsis
A critical-severity vulnerability affects the Work Provider Site Level Administration component of Oracle Universal Work Queue, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected instance and can spill over to compromise additional products in the same environment. No fix versions have been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as Oracle ships a patch.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: CVE-2026-46824 is matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle Oracle E-Business Suite components.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each environment's compliance policy to surface it at the appropriate severity tier; routing to the right team inbox within a customer org is handled automatically based on image ownership and policy configuration.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation and egress-filtering recommendations surfaced on this finding.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Universal Work Queue HTTP interface over the network; no local or physical access is required.
- AuthenticationRequired
Any low-privilege account on the application is sufficient; no administrative or elevated credentials are needed.
- Victim interactionNot required
No user action or social-engineering step is needed; the attacker can trigger the vulnerability entirely on their own.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors are required.
Blast Radius
- A successful attacker achieves full takeover of the Oracle Universal Work Queue instance, reading all stored work-queue data including user assignments and configuration.
- The attacker can modify or delete persisted records, disrupting work routing and queue state across all users of the affected instance.
- The service itself can be crashed or made unavailable, halting work-queue processing for dependent business processes.
- Because the CVSS scope is changed, the attacker's access can extend to additional co-hosted Oracle E-Business Suite products, amplifying the impact beyond the initial compromise point.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46824, the platform monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild option the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is available. While awaiting a patch, HarborGuard surfaces compensating-control guidance for this finding: network-policy isolation to restrict HTTP access to the Work Provider Site Level Administration component to known trusted CIDRs, egress filtering to limit lateral-movement paths to co-hosted EBS products, and feature-flag or access-control gating at the application tier to reduce the pool of accounts that can reach the vulnerable component. Given the CVSS 9.9 Critical score and scope-change impact, customers running affected versions (12.2.3 through 12.2.15) should treat this finding as highest priority in their triage queue.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
- Oracle Corporation / Oracle Universal Work Queue≤ 12.2.15
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H