CVE-2026-46963: Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration)
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a critical-severity vulnerability in the Work Provider Site Level Administration component of Oracle Universal Work Queue, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. A low-privileged attacker with network access over HTTP can exploit this flaw without any victim interaction, and the scope extends beyond the vulnerable component itself. Successful exploitation results in full takeover of Oracle Universal Work Queue, including complete loss of confidentiality, integrity, and availability, with potential impact on additional products in the environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.
HarborGuard Coverage
Detection of CVE-2026-46963 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Oracle E-Business Suite components. Any image running an affected version of Oracle Universal Work Queue (12.2.3 through 12.2.15) is flagged automatically.
AvailableTriage is available with the full CVSS 3.1 score of 9.9 (Critical) surfaced alongside per-environment compliance policy weighting, so severity is contextualized against each customer organization's risk thresholds. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules for affected workloads.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Universal Work Queue service over the network via HTTP - no local or physical access is assumed in the attack scenario.
- AuthenticationRequired
Any low-privilege account is sufficient - the attacker does not need administrative credentials to trigger this vulnerability.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit this vulnerability entirely without involving another person.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.
Blast Radius
- Reads all data accessible to Oracle Universal Work Queue, including queued work items, configuration, and any user or session data stored in or accessible through the component.
- Modifies or destroys persisted work queue data, configuration records, and potentially data in additional connected Oracle E-Business Suite products due to scope change.
- Crashes or degrades the Oracle Universal Work Queue service, disrupting business processes that depend on work routing and queue management.
- Because the CVSS scope is marked as changed, a successful attacker can pivot to compromise additional products beyond the directly vulnerable component within the same environment.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked with a Critical (9.9) severity rating and matched against all images in connected customer registries and pipelines. Because Oracle has not yet published a fix for affected versions 12.2.3 through 12.2.15, HarborGuard monitors the upstream advisory on every ingest cycle. Where no patch is available, compensating controls worth considering include network-policy isolation to restrict HTTP access to the Work Provider Site Level Administration interface to only authorized internal sources, egress filtering to limit lateral movement if a host is compromised, and review of which accounts hold the low-privilege access required to reach the affected component. The moment Oracle ships a fix version, a patched-image rebuild will become available on HarborGuard, and for customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically.
- Oracle Corporation / Oracle Universal Work Queue≤ 12.2.15
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H