HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46965Published Modified CNA oracle

CVE-2026-46965: Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration)

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication-bypass-level privilege escalation vulnerability exists in the Work Provider Site Level Administration component of Oracle Universal Work Queue, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected Oracle Universal Work Queue instance, including complete read, write, and availability impact. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-46965 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including internally built images that bundle Oracle E-Business Suite components.

Available
Triage

Triage capability is available with the CVSS 3.1 base score of 8.8 (HIGH), surfaced alongside each customer org's compliance policy weighting to determine urgency tier. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a remediated release. In the interim, compensating controls such as network-policy isolation of the Work Queue service and HTTP-layer access restriction can be configured and tracked through HarborGuard's policy dashboard.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Oracle Universal Work Queue service over the network via HTTP; no local or physical access is needed.

  • AuthenticationRequired

    A low-privilege account is sufficient; any authenticated user on the system can attempt the attack without needing administrative credentials.

  • Victim interactionNot required

    No action from another user or administrator is needed to trigger the vulnerability.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and reproducible without depending on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to Oracle Universal Work Queue, including stored work items, user session tokens, and site-level configuration.
  • The attacker can modify or delete persisted records, reassign work items, and alter site-level administration settings across the affected instance.
  • The attacker can crash or otherwise deny availability of the Oracle Universal Work Queue service, disrupting work routing for all users.
  • Because the CVSS description characterizes this as a full application takeover, the attacker gains effective control of the application process and its underlying data store.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-46965 is flagged at HIGH severity (CVSS 8.8) and matched against any image in a customer's registry or pipeline that includes an affected Oracle Universal Work Queue version (12.2.3 through 12.2.15). Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads, the moment a remediated version is released. While awaiting an upstream patch, HarborGuard's policy engine can be used to enforce compensating controls: isolating the Work Queue service with Kubernetes network policies to restrict inbound HTTP access to known IP ranges, applying egress filtering to limit lateral movement from a compromised instance, and flagging any image running an affected version as policy-non-compliant to block promotion to production until a fix is available.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Universal Work Queue
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References