ZeroPath at Black Hat USA 2026

Oracle E-Business Suite CVE-2026-46824: Brief Summary of a 9.9 CVSS Universal Work Queue Takeover

A brief summary of CVE-2026-46824, a near-maximum severity vulnerability in Oracle E-Business Suite's Universal Work Queue that allows low privileged attackers to achieve full application takeover with cross-component impact.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Oracle E-Business Suite CVE-2026-46824: Brief Summary of a 9.9 CVSS Universal Work Queue Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single low privileged user account on an Oracle E-Business Suite instance can now be leveraged into a complete application takeover, with the blast radius extending beyond the initially compromised component into other interconnected EBS modules. That is the practical reality of CVE-2026-46824, a CVSS 9.9 vulnerability in Oracle Universal Work Queue's Work Provider Site Level Administration, disclosed in the May 2026 Critical Security Patch Update.

Oracle Universal Work Queue (UWQ) is a component within Oracle E-Business Suite that routes service requests, tasks, and work assignments to appropriate agents across multiple EBS modules. Its architectural role as an integration layer between modules is precisely what makes this vulnerability's "Scope Changed" designation so consequential: compromising UWQ does not stay contained within UWQ. Approximately 6,828 verified companies run Oracle E-Business Suite as of 2026, representing roughly 4 to 5% of the global ERP market, with deployments spanning small businesses to large enterprises across industries.

Technical Information

Vulnerability Overview

CVE-2026-46824 affects the Work Provider Site Level Administration component of Oracle Universal Work Queue within Oracle E-Business Suite. The vulnerability was published by the NVD on May 28, 2026, with the source identified as [email protected]. No CWE classification has been assigned as of publication, which limits automated vulnerability classification and correlation with known attack patterns.

CVSS 3.1 Vector Analysis

The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 9.9. Here is what each metric tells us:

CVSS MetricValueInterpretation
Attack Vector (AV)Network (N)Exploitable remotely over HTTP
Attack Complexity (AC)Low (L)No special conditions or advanced techniques needed
Privileges Required (PR)Low (L)Standard, low privilege credentials suffice
User Interaction (UI)None (N)No action from another user required
Scope (S)Changed (C)Impact extends beyond the vulnerable component
Confidentiality (C)High (H)Complete disclosure of all accessible data
Integrity (I)High (H)Complete modification of all accessible data
Availability (A)High (H)Total denial of service possible

The Scope Changed designation is the critical differentiator here. Oracle Universal Work Queue integrates with multiple E-Business Suite modules to route service requests, tasks, and assignments to appropriate agents. A compromise in UWQ can therefore propagate to interconnected components. The Work Provider Site Level Administration functions specifically control the Work Providers List tab and administrative functions for work providers at the site level, making this a high value target within the UWQ architecture.

Attack Flow

Based on the CVSS metrics and product documentation, the exploitation path follows this sequence:

  1. Credential Acquisition: The attacker obtains valid low privilege credentials for the Oracle E-Business Suite instance. This does not require an administrative account; a standard user account with basic application access is sufficient.

  2. Network Access: The attacker establishes HTTP connectivity to the EBS application tier endpoints. Internet facing EBS deployments are at highest risk, though internal network access also qualifies.

  3. Component Targeting: The attacker targets the Work Provider Site Level Administration functions within UWQ. This responsibility controls work provider configurations at the site level.

  4. Exploitation: The Low Attack Complexity and absence of user interaction requirements mean exploitation is straightforward. No race conditions, specialized tooling, or social engineering are needed.

  5. Impact Escalation: The Scope Changed designation means the initial UWQ compromise extends to additional EBS products. The High ratings across confidentiality, integrity, and availability translate to complete data disclosure, arbitrary data modification, and potential system shutdown.

Comparison with Prior UWQ Vulnerability

A prior vulnerability in Oracle Universal Work Queue, CVE-2025-50107, was addressed in the July 2025 CPU. Comparing the two reveals a significant escalation:

AttributeCVE-2025-50107 (July 2025)CVE-2026-46824 (May 2026)
ComponentRequest handlingWork Provider Site Level Administration
CVSS 3.1 Score6.19.9
Privileges RequiredNone (unauthenticated)Low (authenticated)
User InteractionRequiredNone
Confidentiality ImpactLowHigh
Integrity ImpactLowHigh
Availability ImpactNoneHigh
CWECWE-284 (Improper Access Control)Not assigned
Affected Versions12.2.5 through 12.2.1412.2.3 through 12.2.15

Although CVE-2025-50107 was unauthenticated, it required user interaction and had limited impact. CVE-2026-46824, while requiring low privilege authentication, needs no user interaction and delivers complete takeover with scope change. In operational terms, CVE-2026-46824 is far more dangerous.

What We Do Not Know

Several technical details remain undisclosed: no CWE ID has been assigned, the specific vulnerable code path has not been published, no proof of concept exploit code is publicly available, and the exact mechanism by which scope change propagates to additional products has not been detailed. Oracle's standard practice is to withhold exploitation details until a majority of customers have applied the patch.

Affected Systems and Versions

Oracle E-Business Suite versions 12.2.3 through 12.2.15 are affected. This spans over 12 minor releases and covers the substantial majority of the currently supported EBS 12.2 installed base. Any organization running Oracle Universal Work Queue on a version within this range is vulnerable.

The May 2026 Critical Security Patch Update contains 12 new security patches for Oracle E-Business Suite in total, with 3 of those vulnerabilities being remotely exploitable without authentication. CVE-2026-46824 carries the highest CVSS score among all 12 EBS patches in this update.

Oracle notes that vulnerabilities in underlying Oracle Database and Oracle Fusion Middleware components can also affect Oracle E-Business Suite, so patching should address all layers of the EBS stack.

Vendor Security History

Oracle E-Business Suite has a documented pattern of critical vulnerabilities, several of which have been actively exploited:

CVEYearCVSSProductKey Detail
CVE-2025-6188220259.8+Oracle EBS Concurrent Processing / BI PublisherZero day exploited by Cl0p ransomware prior to patch availability
CVE-2025-5010720256.1Oracle Universal Work QueueUnauthenticated but required user interaction; CWE-284
CVE-2025-618842025HighOracle EBS Configurator (Runtime UI)High severity vulnerability in Configurator
CVE-2026-4682420269.9Oracle Universal Work QueueLow privilege authenticated takeover with scope change

The most significant precedent is CVE-2025-61882. The Cl0p ransomware group mass exploited this Oracle EBS zero day in mid-2025, targeting internet facing EBS deployments for data theft and account compromise. Evidence suggests the attackers chained both the zero day and flaws patched in Oracle's July 2025 CPU to orchestrate the campaign. Oracle subsequently released an emergency security alert and urged immediate patching.

This history establishes that Oracle EBS is an active target for sophisticated threat actors, and that the window between patch release and exploitation can be extremely narrow. Organizations that delayed patching CVE-2025-61882 became Cl0p victims.

As of May 29, 2026, no active exploitation of CVE-2026-46824 has been observed. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities Catalog, and no proof of concept code, exploit kits, or threat actor claims targeting this specific CVE have been identified. However, the CVE was published only one day ago, and the combination of CVSS 9.9, scope change, easy exploitation, and proven EBS targeting by ransomware groups creates an elevated risk profile. Threat actors have demonstrated the ability to acquire low privilege credentials through phishing and credential stuffing, so the authentication requirement is not a meaningful barrier for motivated adversaries.

Oracle strongly recommends applying the May 2026 Critical Security Patch Update as soon as possible. Oracle has explicitly stated that workarounds such as blocking network protocols or removing privileges are not long term solutions because they do not correct the underlying problem. For organizations that cannot immediately patch, temporary measures include restricting HTTP access to EBS application tier endpoints, minimizing the number of users with access to UWQ Work Provider Site Level Administration, and monitoring for unusual activity within UWQ administrative functions.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization