Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46964

CVE-2026-46964: Oracle E-Business Suite Privilege Escalation

CVE-2026-46964 is a critical privilege escalation vulnerability in Oracle Universal Work Queue affecting Oracle E-Business Suite versions 12.2.3-12.2.15. This article covers technical details, impact analysis, and mitigation.

Published:

CVE-2026-46964 Overview

CVE-2026-46964 is a critical vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite. The flaw resides in the Work Provider Site Level Administration component and affects supported versions 12.2.3 through 12.2.15. A low-privileged attacker with network access over HTTP can exploit the weakness to fully compromise Oracle Universal Work Queue. The vulnerability carries a scope change, meaning successful exploitation can impact additional Oracle E-Business Suite products beyond the vulnerable component. Oracle classifies this issue under CWE-269: Improper Privilege Management.

Critical Impact

Successful exploitation results in takeover of Oracle Universal Work Queue with high confidentiality, integrity, and availability impacts, and may extend to other E-Business Suite components.

Affected Products

  • Oracle E-Business Suite — Oracle Universal Work Queue, version 12.2.3
  • Oracle E-Business Suite — Oracle Universal Work Queue, versions 12.2.4 through 12.2.14
  • Oracle E-Business Suite — Oracle Universal Work Queue, version 12.2.15

Discovery Timeline

  • 2026-06-17 - CVE-2026-46964 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-18 - EPSS scoring data published

Technical Details for CVE-2026-46964

Vulnerability Analysis

The vulnerability exists in the Work Provider Site Level Administration component of Oracle Universal Work Queue. An attacker authenticated with low privileges can issue crafted HTTP requests to the affected component and gain control of Oracle Universal Work Queue. Oracle describes the flaw as easily exploitable, requiring no user interaction and no elevated privileges. The scope change indicates that the vulnerable component can affect resources beyond its own security authority. This expands the blast radius into other Oracle E-Business Suite modules that share trust with Universal Work Queue.

Root Cause

The issue is categorized under CWE-269: Improper Privilege Management. The Work Provider Site Level Administration component does not enforce appropriate privilege boundaries on incoming requests. A low-privileged session can perform administrative actions that should be restricted to higher-trust roles. Oracle has not published implementation-level details for this issue in the public advisory.

Attack Vector

Exploitation occurs over the network through HTTP. The attacker requires only a low-privileged authenticated session against the E-Business Suite deployment. No user interaction is needed. Because the attack changes scope, code paths reached through the vulnerable administration component can affect adjacent E-Business Suite modules. Refer to the Oracle Security Alert for vendor-supplied technical context.

No public proof-of-concept code or in-the-wild exploitation has been reported at the time of publication. A code example is therefore not included.

Detection Methods for CVE-2026-46964

Indicators of Compromise

  • Unexpected HTTP POST or administrative requests to Oracle Universal Work Queue endpoints, particularly under the Work Provider Site Level Administration paths.
  • Creation or modification of work providers, sites, or assignment rules by accounts that do not normally perform administrative actions.
  • Authentication events from low-privileged E-Business Suite users immediately followed by privileged operations in audit logs.

Detection Strategies

  • Enable Oracle E-Business Suite Sign-On Audit and FND audit policies on FND_USER, work queue, and work provider configuration tables to capture privilege changes.
  • Inspect application server access logs for repeated requests to Universal Work Queue administration servlets from a single low-privileged session.
  • Correlate web tier HTTP logs with database audit records to identify privilege escalation patterns that cross component boundaries.

Monitoring Recommendations

  • Forward Oracle HTTP Server, WebLogic, and EBS concurrent manager logs into a centralized SIEM for behavioral analysis.
  • Baseline normal administrative activity per role, then alert on deviations such as off-hours configuration changes in Universal Work Queue.
  • Track outbound calls and data access patterns from the Universal Work Queue middle tier to detect scope-change exploitation reaching other E-Business Suite modules.

How to Mitigate CVE-2026-46964

Immediate Actions Required

  • Apply the patches referenced in the Oracle Critical Patch Update advisory for affected E-Business Suite 12.2 releases.
  • Inventory all E-Business Suite environments running versions 12.2.3 through 12.2.15 and prioritize internet-facing or partner-accessible instances.
  • Review and reduce low-privileged account access to Oracle Universal Work Queue functions until patching is complete.

Patch Information

Oracle has released fixes as part of the Critical Patch Update referenced in the Oracle Security Alert. Administrators should follow Oracle's prescribed patch order for E-Business Suite 12.2, including AD/TXK and Universal Work Queue product family patches. Validate patch application in a non-production environment, then roll forward to production following standard Oracle EBS patching procedures.

Workarounds

  • Restrict network access to Oracle E-Business Suite HTTP endpoints using a reverse proxy or web application firewall rules that limit administrative URLs to trusted networks.
  • Audit and remove unused or stale low-privileged accounts that retain access to Universal Work Queue functions.
  • Enforce additional authentication controls such as multi-factor authentication at the SSO layer fronting Oracle E-Business Suite.
bash
# Example: restrict access to Universal Work Queue administration paths at the web tier
# Adjust paths to match the deployed context root for your EBS instance
<LocationMatch "^/OA_HTML/.*(IEU|UWQ).*Admin">
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</LocationMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.