Skip to content
Threat Feed
critical advisory

CVE-2026-46824 - Oracle Universal Work Queue Compromise via HTTP

CVE-2026-46824 allows a low-privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue versions 12.2.3-12.2.15, potentially leading to takeover and impact on additional products.

CVE-2026-46824 is a critical vulnerability affecting the Oracle Universal Work Queue component within Oracle E-Business Suite. Specifically, the vulnerability resides in the Work Provider Site Level Administration. The affected versions are 12.2.3 through 12.2.15. This vulnerability is easily exploitable and grants a low-privileged attacker with network access via HTTP the ability to compromise the Oracle Universal Work Queue. Successful exploitation can lead to a complete takeover of the Oracle Universal Work Queue and may significantly impact other Oracle products within the environment due to a scope change. Defenders should prioritize patching and monitoring for suspicious activity targeting this component.

Attack Chain

  1. Attacker gains low-privileged network access to the Oracle E-Business Suite environment via HTTP.
  2. Attacker sends a crafted HTTP request to the Work Provider Site Level Administration component of the Oracle Universal Work Queue.
  3. The malicious request exploits CVE-2026-46824, bypassing authentication or authorization checks due to insufficient input validation.
  4. Successful exploitation allows the attacker to execute arbitrary code within the context of the Oracle Universal Work Queue application.
  5. The attacker leverages the compromised Universal Work Queue to escalate privileges within the E-Business Suite environment.
  6. Attacker gains control over the Oracle Universal Work Queue application and its data.
  7. Attacker leverages the compromised Oracle Universal Work Queue to pivot and compromise other related Oracle products within the environment.
  8. Attacker achieves complete takeover of the Oracle Universal Work Queue and gains unauthorized access to sensitive data.

Impact

Successful exploitation of CVE-2026-46824 can lead to a complete takeover of the Oracle Universal Work Queue, resulting in unauthorized access to sensitive data, disruption of services, and potential compromise of other Oracle products. The vulnerability allows even low-privileged attackers with network access to achieve significant impact, potentially affecting a wide range of business processes reliant on the Oracle E-Business Suite.

Recommendation

  • Immediately apply the patch provided by Oracle to address CVE-2026-46824 on all affected Oracle Universal Work Queue instances within the 12.2.3-12.2.15 versions.
  • Deploy the Sigma rule Detect CVE-2026-46824 Exploitation Attempt via HTTP to detect potential exploitation attempts targeting the vulnerable component using the webserver log source.
  • Monitor network traffic for suspicious HTTP requests to the Work Provider Site Level Administration component of the Oracle Universal Work Queue.

Detection coverage 2

Detect CVE-2026-46824 Exploitation Attempt via HTTP

high

Detects CVE-2026-46824 exploitation — Suspicious HTTP requests to the Work Provider Site Level Administration component indicating a potential takeover attempt.

sigma tactics: initial_access, privilege_escalation techniques: T1190 sources: webserver

Detect High Volume of HTTP 500 Errors After Patching

low

Detects a high volume of HTTP 500 Errors after patching, which might indicate problems with the patch. This rule assumes that the E-Business Suite environment is usually well-behaved.

sigma tactics: impact sources: webserver

Detection queries are available on the platform. Get full rules →