CVE-2026-21992 in Identity Manager
Summary
by MITRE • 03/20/2026
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2026
This vulnerability resides within Oracle Identity Manager and Oracle Web Services Manager components of Oracle Fusion Middleware, specifically targeting the REST WebServices and Web Services Security modules. The flaw affects versions 12.2.1.4.0 and 14.1.2.1.0, representing a critical security weakness that can be exploited without authentication. The vulnerability's attack vector operates through HTTP network access, making it particularly dangerous as it requires no prior authorization or credentials to initiate exploitation attempts. This represents a significant concern for enterprise environments that rely on these middleware components for identity management and web services security functions.
The technical nature of this vulnerability allows for complete system compromise through unauthenticated network access, enabling attackers to gain full control over affected Oracle Identity Manager and Oracle Web Services Manager instances. The CVSS 3.1 score of 9.8 indicates the highest severity level with impacts across confidentiality, integrity, and availability dimensions. This vulnerability aligns with CWE-284 (Improper Access Control) and potentially CWE-312 (Sensitive Data Exposure) as it allows unauthorized access to critical identity management systems. The flaw's exploitability classification as "easily exploitable" suggests that the attack requires minimal technical skill and resources, making it particularly dangerous for organizations that do not maintain robust network segmentation and monitoring controls.
The operational impact of successful exploitation includes complete takeover of identity management systems, potentially enabling attackers to manipulate user identities, access sensitive data, and disrupt business operations. This compromise affects organizations that depend on Oracle Fusion Middleware Infrastructure for their security architecture, as it undermines the fundamental trust model that these systems provide. Attackers could leverage this vulnerability to escalate privileges, access privileged accounts, and potentially move laterally within the network infrastructure. The consequences extend beyond immediate system compromise to include potential data breaches, service disruption, and regulatory compliance violations that could result in significant financial and reputational damage.
Organizations should immediately implement network segmentation to isolate Oracle Fusion Middleware components from untrusted networks and apply the latest security patches from Oracle. The mitigation strategy should include comprehensive network monitoring to detect unauthorized access attempts and ensure that only authorized personnel can access the affected systems. Security teams must conduct thorough vulnerability assessments to identify all instances of the affected software versions and implement proper access controls. Additionally, organizations should review their incident response procedures to ensure readiness for potential exploitation events. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and implementing defense-in-depth strategies that include network access controls, intrusion detection systems, and regular security assessments to prevent unauthorized access to critical enterprise infrastructure components.