CVE-2026-21992

Name of the Vulnerable Software and Affected Versions Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

Description A critical vulnerability exists in Oracle Identity Manager (component: REST WebServices) and Oracle Web Services Manager (component: Web Services Security) within Oracle Fusion Middleware. This flaw allows unauthenticated attackers with network access via HTTP to compromise these systems. Successful exploitation can lead to a complete takeover of Oracle Identity Manager and Oracle Web Services Manager. The vulnerability is remotely exploitable without authentication, enabling remote code execution. Reports indicate that this vulnerability, designated CVE-2026-21992, may already be exploited in the wild, with attackers gaining unauthenticated remote code execution and creating privileged accounts for lateral movement. The vulnerability has a CVSS score of 9.8.

Recommendations Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Identity Manager version 12.2.1.4.0. Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Identity Manager version 14.1.2.1.0. Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Web Services Manager version 12.2.1.4.0. Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Web Services Manager version 14.1.2.1.0.