Fix Soon

CVE-2026-21992

Unauthenticated Remote Code Execution in Oracle Identity Manager and Oracle Web Services Manager

CVE-2026-21992 describes an unauthenticated remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager, components of Oracle Fusion Middleware. An attacker with network access via HTTP can compromise the affected products, potentially taking over the systems and impacting confidentiality, integrity, and availability. The CVSS base score is 9.8 (CVSS v3.1).

Last analyzed: Loading...

Type

RCE (Remote Code Execution)

Auth Required

PoC Available

Vendor

Oracle

Product

Oracle Identity Manager and Oracle Web Services Manager

Exposure

Internet-facing

Default Config

Exploitable

CVSS Score

9.8

Name: Unauthenticated Remote Code Execution in Oracle Identity Manager and Oracle Web Services Manager
Summary: CVE-2026-21992 describes an unauthenticated remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager, components of Oracle Fusion Middleware. An attacker with network access via HTTP can compromise the affected products, potentially taking over the systems and impacting confidentiality, integrity, and availability. The CVSS base score is 9.8 (CVSS v3.1).

Vendor: Oracle
Product Name: Oracle Identity Manager and Oracle Web Services Manager
Product Description: Identity Manager provides identity lifecycle and access management within Oracle Fusion Middleware; Web Services Manager provides governance and security for web services within the same Fusion Middleware stack.
Affected Versions: 12.2.1.4.0, 14.1.2.1.0
Affected Component: REST WebServices in Oracle Identity Manager and Web Services Security in Oracle Web Services Manager (Fusion Middleware).
Component URLs: Not available
Protocol: HTTP
Ports: Not available
Internet-facing Likelihood: 60%
Exposure Level: Internet-facing
Enterprise Usage: 40%
Affected Software URLs: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

Type: RCE (Remote Code Execution)
Impact: Takeover of Oracle Identity Manager and Oracle Web Services Manager with high impact to confidentiality, integrity, and availability.
Exploitation Description: An unauthenticated attacker can send crafted HTTP requests to REST WebServices (Identity Manager) or Web Services Security endpoints to execute arbitrary code on the server, potentially gaining full control over the affected installation.
Detection Method: No
Detection Method Types: Not available
Detection Method URLs: Not available
PoC Available: No
PoC URLs: Not available
Default Config Exploitable: Yes
Exploitation Requirements: HTTP access to vulnerable REST WebServices (Identity Manager) or Web Services Security endpoints; no authentication required.
Requirements URLs: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
Requirements Probability: 100%
Authentication Needed: No

CVE ID: CVE-2026-21992
Description: Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager.
CVSS Score: 9.8
Published: Loading...
Last Modified: Loading...
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV): AV:N
Attack Complexity (AC): AC:L
Privileges Required (PR): PR:N
User Interaction (UI): UI:N
Scope (S): S:U
Confidentiality (C): C:H
Integrity (I): I:H
Availability (A): A:H
CWE: CWE-306: Missing Authentication for Critical Function
NVD URL: https://nvd.nist.gov/vuln/detail/CVE-2026-21992
CPE Configuration: cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:*cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:*
Version From: 12.2.1.4.012.2.1.4.014.1.2.1.014.1.2.1.0
Version UpTo: 12.2.1.4.012.2.1.4.014.1.2.1.014.1.2.1.0

Remediation Type: update
Remediation Description: Apply Oracle Security Alert CVE-2026-21992 patches; upgrade to patched Fusion Middleware versions via Oracle's Security Alert; follow patching instructions provided by Oracle.
Remediation URLs: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

EPSS Score: Not available
EPSS Percentile: Not available
EPSS Last Updated: Not available
CISA KEV: No
CISA KEV Date Added: Not available
Active Exploitation: No evidence
Active Exploitation URLs: Not available
Threat Actors: Not available
Threat Actors URLs: Not available

IOCs: Not available
Detection Rules: Not available
Threat Hunting URLs: Not available

Articles Used: 2
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-21992
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

CVE-2026-21992

Unauthenticated Remote Code Execution in Oracle Identity Manager and Oracle Web Services Manager

AI Summary

Affected Software

Exploitation Details

NVD Data

Remediation

Threat Intelligence

Threat Hunting

Sources