CVE-2026-46824 is a critical security vulnerability affecting Oracle Universal Work Queue component of Oracle E-Business Suite versions 12.2.3 to 12.2.15. The flaw allows an attacker with low privileges and network access via HTTP to fully compromise the Oracle Universal Work Queue, with potential impact extending to other Oracle products (scope change). The vulnerability has a CVSS 3.1 score of 9.9, reflecting critical confidentiality, integrity, and availability impacts. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which contains 35 new security patches across multiple products including Oracle E-Business Suite. Oracle strongly advises customers to apply these patches immediately to mitigate the risk. Workarounds such as blocking network protocols or removing privileges may reduce risk temporarily but do not fix the underlying issue.

Successful exploitation of CVE-2026-46824 can result in complete takeover of the Oracle Universal Work Queue component, impacting confidentiality, integrity, and availability of the affected system. The vulnerability also has a scope change effect, meaning it may significantly impact additional Oracle products beyond the Universal Work Queue. Given the CVSS score of 9.9, the impact is critical.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches as soon as possible. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or removing unnecessary privileges from users, but these are temporary measures and may disrupt application functionality. Oracle recommends testing any such changes in non-production environments. Patch status is confirmed by the vendor advisory linked in the input data.