PatchSiren cyber security CVE debrief
CVE-2026-46824 Oracle Corporation CVE debrief
A critical vulnerability (CVSS 9.9) in Oracle Universal Work Queue, a component of Oracle E-Business Suite, was disclosed on May 28, 2026. The flaw resides in the Work Provider Site Level Administration component and affects versions 12.2.3 through 12.2.15. A low-privileged attacker with network access can exploit this vulnerability via HTTP to achieve complete takeover of Oracle Universal Work Queue. The scope change indicator (S:C) signals that successful exploitation may significantly impact additional products beyond the vulnerable component itself. The vulnerability carries the highest severity rating due to its network attack vector, low attack complexity, and complete impacts to confidentiality, integrity, and availability. Oracle has published security guidance in their May 2026 Critical Patch Update. Organizations running affected versions should prioritize patching given the easily exploitable nature and critical impact of this vulnerability.
- Vendor
- Oracle Corporation
- Product
- Oracle Universal Work Queue
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Oracle E-Business Suite with Universal Work Queue versions 12.2.3-12.2.15, particularly those with externally accessible HTTP interfaces or multi-product E-Business Suite deployments where scope change impacts may propagate.
Technical summary
The vulnerability exists in the Work Provider Site Level Administration component of Oracle Universal Work Queue within Oracle E-Business Suite. The attack requires low privileges and network access via HTTP, with low attack complexity. Successful exploitation results in complete compromise (takeover) of Oracle Universal Work Queue with potential scope expansion to additional products. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability.
Defensive priority
critical
Recommended defensive actions
- Apply Oracle Critical Patch Update for May 2026 immediately to affected Oracle E-Business Suite Universal Work Queue deployments
- Verify inventory of Oracle Universal Work Queue instances running versions 12.2.3 through 12.2.15
- Review access controls and network segmentation for Oracle E-Business Suite environments to limit HTTP exposure
- Monitor for anomalous HTTP traffic to Work Provider Site Level Administration endpoints
- Assess scope of potential impact given the S:C scope change indicator for additional affected products
- Coordinate with Oracle support for patch deployment guidance in complex E-Business Suite environments
Evidence notes
Vulnerability description sourced from NVD record with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. Vendor attribution to Oracle derived from reference domain analysis with low confidence flag for review. Affected product versions explicitly listed as 12.2.3-12.2.15.
Official resources
-
CVE-2026-46824 CVE record
CVE.org
-
CVE-2026-46824 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Oracle disclosed this vulnerability on May 28, 2026 as part of their Critical Patch Update security advisory cycle.