CVE-2026-46963 Overview
CVE-2026-46963 is a critical access control vulnerability [CWE-284] in the Oracle Universal Work Queue component of Oracle E-Business Suite. The flaw affects the Work Provider Site Level Administration component across supported versions 12.2.3 through 12.2.15. An attacker with low privileges can exploit this issue remotely over HTTP without user interaction. Successful exploitation results in full takeover of Oracle Universal Work Queue and can affect additional connected products due to a scope change.
Critical Impact
Authenticated attackers with low privileges can compromise confidentiality, integrity, and availability of Oracle Universal Work Queue and pivot to impact additional Oracle E-Business Suite products.
Affected Products
- Oracle E-Business Suite — Oracle Universal Work Queue 12.2.3
- Oracle E-Business Suite — Oracle Universal Work Queue versions 12.2.4 through 12.2.14
- Oracle E-Business Suite — Oracle Universal Work Queue 12.2.15
Discovery Timeline
- 2026-06-17 - CVE-2026-46963 published to NVD
- 2026-06-17 - Last updated in NVD database
- 2026-06-18 - EPSS score published at 0.389%
Technical Details for CVE-2026-46963
Vulnerability Analysis
The vulnerability resides in the Work Provider Site Level Administration component of Oracle Universal Work Queue. It is classified as an improper access control issue under [CWE-284]. An authenticated attacker with minimal privileges can send crafted HTTP requests to invoke functionality without proper authorization checks. Exploitation requires no user interaction and has low attack complexity. The scope change indicates that exploitation of Oracle Universal Work Queue can affect components managed by other security authorities within the Oracle E-Business Suite stack.
Root Cause
The root cause is improper enforcement of access controls within site-level administration functions exposed by Oracle Universal Work Queue. Authorization checks fail to restrict privileged operations to users with appropriate roles. Low-privileged authenticated sessions can reach administrative code paths intended for higher-privileged accounts.
Attack Vector
The attack vector is network-based over HTTP. An attacker authenticates to Oracle E-Business Suite with any valid low-privilege account and issues crafted requests to the Universal Work Queue administration endpoints. Because the scope changes, the resulting compromise extends beyond the vulnerable component into other Oracle E-Business Suite products that trust the queue service. Refer to the Oracle Security Alert for vendor technical details.
Detection Methods for CVE-2026-46963
Indicators of Compromise
- Unexpected HTTP requests from low-privilege user sessions to Oracle Universal Work Queue site-level administration URLs.
- Creation or modification of work providers, sites, or assignment rules by accounts not normally performing administrative tasks.
- Anomalous E-Business Suite audit log entries showing privilege-sensitive operations originating from standard application users.
Detection Strategies
- Enable and review Oracle E-Business Suite Sign-On Audit and Page Access Tracking for Universal Work Queue administration functions.
- Correlate web tier access logs with application audit records to identify low-privilege accounts touching administrative endpoints.
- Baseline normal Universal Work Queue administrative activity and alert on deviations such as new source IPs or off-hours configuration changes.
Monitoring Recommendations
- Forward Oracle E-Business Suite application, database, and middle-tier logs to a centralized SIEM for correlation.
- Monitor for HTTP 200 responses to administration servlets following requests from user accounts lacking the relevant responsibility.
- Track privilege grants, responsibility assignments, and FND_USER changes adjacent in time to suspicious queue activity.
How to Mitigate CVE-2026-46963
Immediate Actions Required
- Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert for June 2026 to all affected 12.2.x deployments.
- Inventory all Oracle E-Business Suite environments running Universal Work Queue versions 12.2.3 through 12.2.15 and prioritize internet-exposed instances.
- Audit recent Universal Work Queue administrative changes and review FND_USER accounts for unexpected responsibility grants.
Patch Information
Oracle addressed CVE-2026-46963 in the June 2026 Critical Patch Update. Administrators should download and apply the patches listed in the Oracle Security Alert to bring affected environments to a fixed state. Test patches in non-production environments before promoting to production.
Workarounds
- Restrict network access to Oracle E-Business Suite middle tiers using firewalls, VPN, or reverse proxy allow-lists until patching is complete.
- Remove or disable unnecessary Universal Work Queue responsibilities from low-privilege user accounts.
- Enforce strong authentication and session controls on all E-Business Suite users to reduce the population of accounts that could initiate an attack.
# Example: apply Oracle EBS patch using adop online patching
adop phase=prepare
adop phase=apply patches=<CPU_JUN2026_PATCH_ID> workers=8
adop phase=finalize
adop phase=cutover
adop phase=cleanup
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

