Introduction
A single low privileged user account on an Oracle E-Business Suite instance can now be leveraged into a complete application takeover, with the blast radius extending beyond the initially compromised component into other interconnected EBS modules. That is the practical reality of CVE-2026-46824, a CVSS 9.9 vulnerability in Oracle Universal Work Queue's Work Provider Site Level Administration, disclosed in the May 2026 Critical Security Patch Update.
Oracle Universal Work Queue (UWQ) is a component within Oracle E-Business Suite that routes service requests, tasks, and work assignments to appropriate agents across multiple EBS modules. Its architectural role as an integration layer between modules is precisely what makes this vulnerability's "Scope Changed" designation so consequential: compromising UWQ does not stay contained within UWQ. Approximately 6,828 verified companies run Oracle E-Business Suite as of 2026, representing roughly 4 to 5% of the global ERP market, with deployments spanning small businesses to large enterprises across industries.
Technical Information
Vulnerability Overview
CVE-2026-46824 affects the Work Provider Site Level Administration component of Oracle Universal Work Queue within Oracle E-Business Suite. The vulnerability was published by the NVD on May 28, 2026, with the source identified as [email protected]. No CWE classification has been assigned as of publication, which limits automated vulnerability classification and correlation with known attack patterns.
CVSS 3.1 Vector Analysis
The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 9.9. Here is what each metric tells us:
| CVSS Metric | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over HTTP |
| Attack Complexity (AC) | Low (L) | No special conditions or advanced techniques needed |
| Privileges Required (PR) | Low (L) | Standard, low privilege credentials suffice |
| User Interaction (UI) | None (N) | No action from another user required |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component |
| Confidentiality (C) | High (H) | Complete disclosure of all accessible data |
| Integrity (I) | High (H) | Complete modification of all accessible data |
| Availability (A) | High (H) | Total denial of service possible |
The Scope Changed designation is the critical differentiator here. Oracle Universal Work Queue integrates with multiple E-Business Suite modules to route service requests, tasks, and assignments to appropriate agents. A compromise in UWQ can therefore propagate to interconnected components. The Work Provider Site Level Administration functions specifically control the Work Providers List tab and administrative functions for work providers at the site level, making this a high value target within the UWQ architecture.
Attack Flow
Based on the CVSS metrics and product documentation, the exploitation path follows this sequence:
-
Credential Acquisition: The attacker obtains valid low privilege credentials for the Oracle E-Business Suite instance. This does not require an administrative account; a standard user account with basic application access is sufficient.
-
Network Access: The attacker establishes HTTP connectivity to the EBS application tier endpoints. Internet facing EBS deployments are at highest risk, though internal network access also qualifies.
-
Component Targeting: The attacker targets the Work Provider Site Level Administration functions within UWQ. This responsibility controls work provider configurations at the site level.
-
Exploitation: The Low Attack Complexity and absence of user interaction requirements mean exploitation is straightforward. No race conditions, specialized tooling, or social engineering are needed.
-
Impact Escalation: The Scope Changed designation means the initial UWQ compromise extends to additional EBS products. The High ratings across confidentiality, integrity, and availability translate to complete data disclosure, arbitrary data modification, and potential system shutdown.
Comparison with Prior UWQ Vulnerability
A prior vulnerability in Oracle Universal Work Queue, CVE-2025-50107, was addressed in the July 2025 CPU. Comparing the two reveals a significant escalation:
| Attribute | CVE-2025-50107 (July 2025) | CVE-2026-46824 (May 2026) |
|---|---|---|
| Component | Request handling | Work Provider Site Level Administration |
| CVSS 3.1 Score | 6.1 | 9.9 |
| Privileges Required | None (unauthenticated) | Low (authenticated) |
| User Interaction | Required | None |
| Confidentiality Impact | Low | High |
| Integrity Impact | Low | High |
| Availability Impact | None | High |
| CWE | CWE-284 (Improper Access Control) | Not assigned |
| Affected Versions | 12.2.5 through 12.2.14 | 12.2.3 through 12.2.15 |
Although CVE-2025-50107 was unauthenticated, it required user interaction and had limited impact. CVE-2026-46824, while requiring low privilege authentication, needs no user interaction and delivers complete takeover with scope change. In operational terms, CVE-2026-46824 is far more dangerous.
What We Do Not Know
Several technical details remain undisclosed: no CWE ID has been assigned, the specific vulnerable code path has not been published, no proof of concept exploit code is publicly available, and the exact mechanism by which scope change propagates to additional products has not been detailed. Oracle's standard practice is to withhold exploitation details until a majority of customers have applied the patch.
Affected Systems and Versions
Oracle E-Business Suite versions 12.2.3 through 12.2.15 are affected. This spans over 12 minor releases and covers the substantial majority of the currently supported EBS 12.2 installed base. Any organization running Oracle Universal Work Queue on a version within this range is vulnerable.
The May 2026 Critical Security Patch Update contains 12 new security patches for Oracle E-Business Suite in total, with 3 of those vulnerabilities being remotely exploitable without authentication. CVE-2026-46824 carries the highest CVSS score among all 12 EBS patches in this update.
Oracle notes that vulnerabilities in underlying Oracle Database and Oracle Fusion Middleware components can also affect Oracle E-Business Suite, so patching should address all layers of the EBS stack.
Vendor Security History
Oracle E-Business Suite has a documented pattern of critical vulnerabilities, several of which have been actively exploited:
| CVE | Year | CVSS | Product | Key Detail |
|---|---|---|---|---|
| CVE-2025-61882 | 2025 | 9.8+ | Oracle EBS Concurrent Processing / BI Publisher | Zero day exploited by Cl0p ransomware prior to patch availability |
| CVE-2025-50107 | 2025 | 6.1 | Oracle Universal Work Queue | Unauthenticated but required user interaction; CWE-284 |
| CVE-2025-61884 | 2025 | High | Oracle EBS Configurator (Runtime UI) | High severity vulnerability in Configurator |
| CVE-2026-46824 | 2026 | 9.9 | Oracle Universal Work Queue | Low privilege authenticated takeover with scope change |
The most significant precedent is CVE-2025-61882. The Cl0p ransomware group mass exploited this Oracle EBS zero day in mid-2025, targeting internet facing EBS deployments for data theft and account compromise. Evidence suggests the attackers chained both the zero day and flaws patched in Oracle's July 2025 CPU to orchestrate the campaign. Oracle subsequently released an emergency security alert and urged immediate patching.
This history establishes that Oracle EBS is an active target for sophisticated threat actors, and that the window between patch release and exploitation can be extremely narrow. Organizations that delayed patching CVE-2025-61882 became Cl0p victims.
As of May 29, 2026, no active exploitation of CVE-2026-46824 has been observed. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities Catalog, and no proof of concept code, exploit kits, or threat actor claims targeting this specific CVE have been identified. However, the CVE was published only one day ago, and the combination of CVSS 9.9, scope change, easy exploitation, and proven EBS targeting by ransomware groups creates an elevated risk profile. Threat actors have demonstrated the ability to acquire low privilege credentials through phishing and credential stuffing, so the authentication requirement is not a meaningful barrier for motivated adversaries.
Oracle strongly recommends applying the May 2026 Critical Security Patch Update as soon as possible. Oracle has explicitly stated that workarounds such as blocking network protocols or removing privileges are not long term solutions because they do not correct the underlying problem. For organizations that cannot immediately patch, temporary measures include restricting HTTP access to EBS application tier endpoints, minimizing the number of users with access to UWQ Work Provider Site Level Administration, and monitoring for unusual activity within UWQ administrative functions.
References
- NVD: CVE-2026-46824
- Oracle Security Critical Patch Update Advisory, May 2026
- Text Form of Oracle CSPU May 2026 Risk Matrices
- Oracle Security Alerts Portal
- Oracle Universal Work Queue Implementation Guide
- NVD: CVE-2025-50107 (Prior UWQ Vulnerability)
- Oracle Security Alert Advisory: CVE-2025-61882
- Halcyon: Cl0p Abuses Oracle E-Business Suite for Account Takeover
- Oligo Security: CVE-2025-61882 Oracle EBS Zero Day Exploited in Cl0p Extortion Campaigns
- Resecurity: CVE-2025-61882 Mass Exploitation
- HIPAA Journal: Cl0p Mass Exploiting Zero Day in Oracle EBS
- Landbase: Companies Using Oracle E-Business Suite in 2026
- CISA Known Exploited Vulnerabilities Catalog



