CVE-2026-21992
Received Received - Intake
Critical Remote Code Execution in Oracle Identity Manager REST Services

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: Oracle

Description
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-21992
EUVD
EUVD-2026-13486
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
oracle identity_manager 12.2.1.4.0
oracle web_services_manager 12.2.1.4.0
oracle identity_manager 14.1.2.1.0
oracle web_services_manager 14.1.2.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Oracle Identity Manager and Oracle Web Services Manager, specifically in versions 12.2.1.4.0 and 14.1.2.1.0 of these Oracle Fusion Middleware products. It exists in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager.

The vulnerability is remotely exploitable over a network via HTTP without requiring any authentication, meaning an attacker can exploit it without needing any credentials or user interaction.

Successful exploitation allows an attacker to execute remote code and take over the affected systems, compromising confidentiality, integrity, and availability.

The vulnerability has a critical severity rating with a CVSS 3.1 base score of 9.8.


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to a complete takeover of Oracle Identity Manager and Oracle Web Services Manager systems.

This means an attacker can gain unauthorized access, execute arbitrary code, and potentially disrupt or manipulate critical identity and web services management functions.

The impact includes high confidentiality, integrity, and availability risks, potentially leading to data breaches, service outages, and loss of control over affected systems.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

Oracle strongly recommends that customers apply the provided patches or mitigations immediately.

These patches are available only for product versions under Premier or Extended Support according to Oracle’s Lifetime Support Policy.

Customers running unsupported versions are advised to upgrade to supported versions, as earlier releases are likely vulnerable but not tested.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart