CVE-2026-46966 Overview
CVE-2026-46966 is a high severity vulnerability affecting the Oracle Universal Work Queue product within Oracle E-Business Suite. The flaw resides in the Work Provider Site Level Administration component and impacts supported versions 12.2.3 through 12.2.15. A low-privileged attacker with network access via HTTP can exploit the weakness to compromise the application, although exploitation is rated as difficult. Successful attacks result in full takeover of Oracle Universal Work Queue, with high impact to confidentiality, integrity, and availability. The vulnerability is categorized under [CWE-269] Improper Privilege Management.
Critical Impact
Successful exploitation leads to complete takeover of Oracle Universal Work Queue, exposing business workflow data and operational integrity.
Affected Products
- Oracle E-Business Suite — Oracle Universal Work Queue 12.2.3
- Oracle E-Business Suite — Oracle Universal Work Queue versions 12.2.4 through 12.2.14
- Oracle E-Business Suite — Oracle Universal Work Queue 12.2.15
Discovery Timeline
- 2026-06-17 - CVE-2026-46966 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-46966
Vulnerability Analysis
The vulnerability exists in the Work Provider Site Level Administration component of Oracle Universal Work Queue, a workflow distribution module within Oracle E-Business Suite. An authenticated attacker holding low privileges can issue crafted HTTP requests to interact with administrative functionality that should be restricted to higher-privileged roles. The flaw allows the attacker to escalate access and assume control over the module. Oracle classifies the impact as high across all three CIA dimensions, indicating that an attacker can read sensitive workflow data, modify queue routing, and disrupt service availability.
Root Cause
The root cause is improper privilege management [CWE-269] within the Work Provider Site Level Administration interface. Authorization checks fail to adequately constrain low-privileged users from invoking administrative operations exposed by the component. This permits horizontal and vertical privilege boundaries to be crossed once a session is established.
Attack Vector
The attack vector is network-based over HTTP. The attacker must possess valid low-level credentials to the Oracle E-Business Suite environment, and exploitation complexity is high — implying specific conditions or timing must be met to trigger the privilege escalation. No user interaction is required. The EPSS probability is 0.301% with a percentile of 21.547, reflecting limited observed exploitation activity at the time of publication. Refer to the Oracle Security Alert for vendor-confirmed technical context.
Detection Methods for CVE-2026-46966
Indicators of Compromise
- Unexpected HTTP POST or PUT requests to Work Provider Site Level Administration endpoints originating from accounts without administrative roles.
- Modifications to work provider configurations, site-level routing, or queue assignments outside of scheduled change windows.
- New or altered privileged role assignments within Oracle E-Business Suite audit logs following anomalous HTTP traffic.
Detection Strategies
- Correlate Oracle E-Business Suite application audit logs with web server access logs to identify low-privileged users invoking administrative URLs.
- Baseline normal usage patterns for Universal Work Queue administrative endpoints and alert on deviations by role or source IP.
- Inspect database audit trails for unauthorized writes to work provider configuration tables.
Monitoring Recommendations
- Enable Oracle E-Business Suite Sign-On Audit and Page Access Tracking for the Universal Work Queue module.
- Forward web tier and database audit logs to a centralized SIEM for correlation across the Oracle stack.
- Monitor for repeated authentication followed by access to administrative components, which can indicate exploitation attempts.
How to Mitigate CVE-2026-46966
Immediate Actions Required
- Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert to all Oracle E-Business Suite environments running versions 12.2.3 through 12.2.15.
- Audit existing user accounts and remove unnecessary low-privilege access to the Universal Work Queue module.
- Restrict network access to Oracle E-Business Suite HTTP endpoints to trusted segments using firewall and reverse proxy rules.
Patch Information
Oracle addressed CVE-2026-46966 in its June 2026 Critical Patch Update. Administrators should consult the Oracle Security Alert for the patch matrix corresponding to each affected 12.2.x release and apply the fixes following Oracle's recommended patching procedure for E-Business Suite.
Workarounds
- If patching cannot be completed immediately, place Oracle E-Business Suite behind a web application firewall and block direct access to Work Provider Site Level Administration URLs from non-administrative users.
- Enforce strict role separation and remove any non-essential responsibilities that grant access to Universal Work Queue administrative functions.
- Require multi-factor authentication for all Oracle E-Business Suite accounts to reduce the risk of credential abuse against the affected endpoints.
# Configuration example: restrict access to Universal Work Queue admin paths at the reverse proxy
# Apache httpd example
<Location "/OA_HTML/IEU">
Require ip 10.0.0.0/8
Require valid-user
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

