CVE-2026-46963: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. in Oracle Corporation Oracle Universal Work Queue
CVE-2026-46963 is a critical vulnerability in Oracle Universal Work Queue, part of Oracle E-Business Suite. It affects supported versions 12.2.3 through 12.2.15. The flaw allows a low privileged attacker with network access via HTTP to compromise the product, potentially leading to full takeover. The vulnerability also has scope to impact additional Oracle products. It has a CVSS 3.1 base score of 9.9, indicating high confidentiality, integrity, and availability impacts. Oracle has published a Critical Security Patch Update advisory recommending prompt patching. No explicit patch version is stated in the advisory content provided, but Oracle strongly urges applying the June 2026 Critical Security Patch Update. Mitigations include applying patches promptly and possibly blocking network protocols or removing unnecessary privileges until patches are applied. No known exploits in the wild have been reported yet.
AI Analysis
Technical Summary
CVE-2026-46963 is a critical security vulnerability in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 to 12.2.15. The vulnerability is easily exploitable by a low privileged attacker with network access via HTTP, enabling compromise and potential takeover of the Oracle Universal Work Queue. The vulnerability's impact extends beyond this product, potentially affecting other Oracle products (scope change). The CVSS 3.1 base score is 9.9 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update advisory addresses this vulnerability among 245 others and strongly recommends immediate patching. No explicit patch version or remediation level is provided in the advisory content, but Oracle emphasizes applying the Critical Security Patch Update without delay. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, though these may affect functionality.
Potential Impact
Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle Universal Work Queue, leading to complete takeover of the product. The vulnerability also has a scope change, meaning it may significantly impact additional Oracle products beyond Universal Work Queue. The CVSS score of 9.9 reflects critical impacts on confidentiality, integrity, and availability. No known exploits in the wild have been reported as of the advisory date.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to address this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack and removing unnecessary privileges or access to relevant packages from users who do not need them. These mitigations may disrupt application functionality, so patching is the preferred and definitive remediation. Patch status is not explicitly confirmed in the advisory content; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and installation instructions.
CVE-2026-46963: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. in Oracle Corporation Oracle Universal Work Queue
Description
CVE-2026-46963 is a critical vulnerability in Oracle Universal Work Queue, part of Oracle E-Business Suite. It affects supported versions 12.2.3 through 12.2.15. The flaw allows a low privileged attacker with network access via HTTP to compromise the product, potentially leading to full takeover. The vulnerability also has scope to impact additional Oracle products. It has a CVSS 3.1 base score of 9.9, indicating high confidentiality, integrity, and availability impacts. Oracle has published a Critical Security Patch Update advisory recommending prompt patching. No explicit patch version is stated in the advisory content provided, but Oracle strongly urges applying the June 2026 Critical Security Patch Update. Mitigations include applying patches promptly and possibly blocking network protocols or removing unnecessary privileges until patches are applied. No known exploits in the wild have been reported yet.
CVSS v3.1
Score 9.9critical
Affected software
pkg:maven/com.oracle/UniversalWorkQueueRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46963 is a critical security vulnerability in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 to 12.2.15. The vulnerability is easily exploitable by a low privileged attacker with network access via HTTP, enabling compromise and potential takeover of the Oracle Universal Work Queue. The vulnerability's impact extends beyond this product, potentially affecting other Oracle products (scope change). The CVSS 3.1 base score is 9.9 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update advisory addresses this vulnerability among 245 others and strongly recommends immediate patching. No explicit patch version or remediation level is provided in the advisory content, but Oracle emphasizes applying the Critical Security Patch Update without delay. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, though these may affect functionality.
Potential Impact
Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle Universal Work Queue, leading to complete takeover of the product. The vulnerability also has a scope change, meaning it may significantly impact additional Oracle products beyond Universal Work Queue. The CVSS score of 9.9 reflects critical impacts on confidentiality, integrity, and availability. No known exploits in the wild have been reported as of the advisory date.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to address this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack and removing unnecessary privileges or access to relevant packages from users who do not need them. These mitigations may disrupt application functionality, so patching is the preferred and definitive remediation. Patch status is not explicitly confirmed in the advisory content; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and installation instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.314Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6320b89be688826681f
Added to database: 6/16/2026, 8:46:42 PM
Last enriched: 6/16/2026, 9:02:01 PM
Last updated: 6/17/2026, 4:59:01 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.