ThreatLevelBeta
Fix Soon

CVE-2026-21992

RCE in Oracle Identity Manager / Web Services Manager (unauthenticated)
Loading...

Summary

This vulnerability affects Oracle Identity Manager and Oracle Web Services Manager via the REST WebServices and Web Services Security interfaces. The root cause is missing authentication for a critical function, allowing an unauthenticated remote attacker to trigger remote code execution over HTTP. Exploitation is possible without user credentials, potentially leading to full takeover of Identity Manager and Web Services Manager.

Why Fix Soon?

4/6
No authentication required
Deployment unknown
No user interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Takeover of Oracle Identity Manager and Oracle Web Services Manager; full compromise of systems and data; remote code execution with system-level privileges.

Exploitation Requirements
  • Unauthenticated HTTP access to REST WebServices (Identity Manager) or Web Servic
  • exposed Fusion Middleware components 12.2.1.4.0 or 14.1.2.1.0
Exploitation Process

An unauthenticated attacker sends crafted HTTP requests to the REST WebServices interface (Identity Manager) or the Web Services Security interface (OWSM) to bypass authentication and execute arbitrary code on the underlying Fusion Middleware infrastructure, leading to full control of the affected installations.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Oracle
ProductAffected Versions
Oracle Identity Manager; Oracle Web Services Manager12.2.1.4.0 and 14.1.2.1.0 for Identity Manager; 12.2.1.4.0 and 14.1.2.1.0 for Web Services Manager
Description

Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM) are components of Oracle Fusion Middleware used for identity management and web services security management across enterprise environments.

Deployment:
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentREST WebServices interface (Identity Manager) and Web Services Security component (Web Services Manager)

REST WebServices interface (Identity Manager) and Web Services Security component (Web Services Manager)

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules3
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager.

CVSS Base Score

9.8
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2026-21992
|
Version From:12.2.1.4.0, 12.2.1.4.0, 14.1.2.1.0, 14.1.2.1.0
|
Version Upto:12.2.1.4.0, 12.2.1.4.0, 14.1.2.1.0, 14.1.2.1.0

Affected Software (CPE) (4)

  • cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:*

Sources

3
SourceArticle
nvd.nist.govhttps://nvd.nist.gov/vuln/detail/CVE-2026-21992
www.oracle.comhttps://www.oracle.com/security-alerts/alert-cve-2026-21992.html
www.darkreading.comhttps://www.darkreading.com/vulnerabilities-threats/patch-oracle-fusion-middleware-rce-flaw

Priority History

Fix SoonLoading...

Initial analysis

Planned FixLoading...

Reassessed to Planned Fix