Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability classified as CWE-306 (Missing Authentication for Critical Function) affects the REST WebServices components in Oracle Identity Manager and Web Services Security in Oracle Web Services Manager. An attacker with network access to the vulnerable system can send HTTP requests to critical functions without the need for authentication. The protective mechanism in the form of identity verification is absent or can be bypassed, enabling unauthorized system-level operations.
Successful exploitation of this vulnerability leads to complete takeover of Oracle Identity Manager and Oracle Web Services Manager, resulting in loss of confidentiality, integrity, and availability of data and services managed by these systems.
Apply patches available from the vendor according to references published at https://www.oracle.com/security-alerts/alert-cve-2026-21992.html. Until patches are deployed, it is recommended to restrict network access to REST WebServices and Web Services Security components exclusively to trusted hosts and internal networks using firewall or ACL lists.
Oracle Identity Manager (component: REST WebServices) and Oracle Web Services Manager (component: Web Services Security) in versions 12.2.1.4.0 and 14.1.2.1.0, which are part of Oracle Fusion Middleware. Oracle Web Services Manager is installed together with Oracle Fusion Middleware Infrastructure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Identity Manager
APPOracle12.2.1.4.014.1.2.1.0Oracle Web Services Manager
APPOracle12.2.1.4.014.1.2.1.0
Related vulnerabilities
Pominięcie uwierzytelnienia w Oracle Identity Manager REST WebServices
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versio...
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Support...
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)...
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could...