CVE-2026-46964 affects Oracle Universal Work Queue component of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The vulnerability is easily exploitable by a low privileged attacker with network access over HTTP, enabling compromise and potential takeover of the Oracle Universal Work Queue. The vulnerability also has scope to impact additional Oracle products. It carries a CVSS 3.1 score of 9.9 with network attack vector, low attack complexity, low privileges required, no user interaction, and complete confidentiality, integrity, and availability impact. Oracle’s June 2026 Critical Security Patch Update includes fixes for this vulnerability among 245 patches across multiple Oracle products. Oracle strongly recommends applying these patches without delay. Workarounds include blocking network protocols required for exploitation and removing unnecessary privileges, though these may disrupt normal operations.

Successful exploitation of CVE-2026-46964 can lead to complete compromise and takeover of Oracle Universal Work Queue, impacting confidentiality, integrity, and availability of the system. The vulnerability also has potential to affect additional Oracle products due to scope change. The critical CVSS score of 9.9 reflects the severity and ease of exploitation by a low privileged attacker over the network without user interaction.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the official patches promptly to remediate the issue. Until patches are applied, risk may be reduced by blocking network protocols required for the attack and by removing unnecessary privileges from users who do not require them. However, these mitigations may impact application functionality. Oracle’s advisory should be consulted for detailed patch availability and installation instructions.