CRITICAL🇵🇱 Wersja polska

CVE-2026-21992

CVSS 9.8v3.1pub. 2026-03-20upd. 2026-03-23

Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

🤖 AI Analysis
How it works

The vulnerability classified as CWE-306 (Missing Authentication for Critical Function) affects the REST WebServices components in Oracle Identity Manager and Web Services Security in Oracle Web Services Manager. An attacker with network access to the vulnerable system can send HTTP requests to critical functions without the need for authentication. The protective mechanism in the form of identity verification is absent or can be bypassed, enabling unauthorized system-level operations.

Impact

Successful exploitation of this vulnerability leads to complete takeover of Oracle Identity Manager and Oracle Web Services Manager, resulting in loss of confidentiality, integrity, and availability of data and services managed by these systems.

Mitigation & patch

Apply patches available from the vendor according to references published at https://www.oracle.com/security-alerts/alert-cve-2026-21992.html. Until patches are deployed, it is recommended to restrict network access to REST WebServices and Web Services Security components exclusively to trusted hosts and internal networks using firewall or ACL lists.

Who is affected

Oracle Identity Manager (component: REST WebServices) and Oracle Web Services Manager (component: Web Services Security) in versions 12.2.1.4.0 and 14.1.2.1.0, which are part of Oracle Fusion Middleware. Oracle Web Services Manager is installed together with Oracle Fusion Middleware Infrastructure.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Identity Manager

    APP
    Oracle
    12.2.1.4.014.1.2.1.0
  • Oracle Web Services Manager

    APP
    Oracle
    12.2.1.4.014.1.2.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassDoS
CWE
References

Related vulnerabilities

CVE-2025-61757CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle Identity Manager REST WebServices

CVE-2026-35268CRITICAL9.9ten sam produkt

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versio...

CVE-2026-46807CRITICAL9.8ten sam produkt

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Support...

CVE-2019-2729CRITICAL9.8ten sam produkt

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)...

CVE-2017-15095CRITICAL9.8ten sam produkt

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could...