CVE-2026-21992
Received Received - Intake
Critical Remote Code Execution in Oracle Identity Manager REST Services

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: Oracle

Description
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21992
EUVD
EUVD-2026-13486
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
oracle identity_manager 12.2.1.4.0
oracle web_services_manager 12.2.1.4.0
oracle identity_manager 14.1.2.1.0
oracle web_services_manager 14.1.2.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Oracle Identity Manager and Oracle Web Services Manager, specifically in versions 12.2.1.4.0 and 14.1.2.1.0 of these Oracle Fusion Middleware products. It exists in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager.

The vulnerability is remotely exploitable over a network via HTTP without requiring any authentication, meaning an attacker can exploit it without needing any credentials or user interaction.

Successful exploitation allows an attacker to execute remote code and take over the affected systems, compromising confidentiality, integrity, and availability.

The vulnerability has a critical severity rating with a CVSS 3.1 base score of 9.8.

Impact Analysis

If exploited, this vulnerability can lead to a complete takeover of Oracle Identity Manager and Oracle Web Services Manager systems.

This means an attacker can gain unauthorized access, execute arbitrary code, and potentially disrupt or manipulate critical identity and web services management functions.

The impact includes high confidentiality, integrity, and availability risks, potentially leading to data breaches, service outages, and loss of control over affected systems.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Oracle strongly recommends that customers apply the provided patches or mitigations immediately.

These patches are available only for product versions under Premier or Extended Support according to Oracle’s Lifetime Support Policy.

Customers running unsupported versions are advised to upgrade to supported versions, as earlier releases are likely vulnerable but not tested.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart