CVE-2026-21992: Oracle Patches Unauthenticated RCE in Identity Manager and Web Services Manager
Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
Oracle issued an out-of-band security alert for CVE-2026-21992, an unauthenticated RCE in Oracle Identity Manager and Oracle Web Services Manager. The decision not to wait for the April quarterly CPU cycle signals Oracle’s own assessment of severity. Patch now.
Changelog
| Date | Summary |
|---|---|
| 24 Mar 2026 | Initial publication covering CVE-2026-21992 Oracle IdM unauthenticated RCE, CVSS 9.8, out-of-band patch issued. |
Oracle has released an out-of-band security alert for CVE-2026-21992, a critical remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. CVSS 9.8. No authentication required. Network access via HTTP is sufficient. A successful exploit results in full takeover of the affected instance.
What’s Vulnerable
The flaw affects two products across two versions each:
- Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0
- Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0
Oracle Web Services Manager is installed as part of the Fusion Middleware Infrastructure, so any deployment carrying either version of the Fusion Middleware stack should assume exposure until verified otherwise.
The NVD entry classifies this as CWE-306 – Missing Authentication for Critical Function. The CVSS vector confirms the worst-case profile: network-accessible, low complexity, no privileges required, no user interaction needed, with high impact across confidentiality, integrity, and availability.
Why the Out-of-Band Release Matters
Oracle issues Security Alerts outside its standard quarterly CPU cycle roughly twice a year on average. The decision to do so here means Oracle did not consider waiting until April 2026 appropriate. That is a meaningful signal in itself. Read it accordingly.
Prior Exploitation Context
This is not the first critical pre-authentication RCE to hit Oracle Identity Manager. In November 2025, CISA added CVE-2025-61757 – also CVSS 9.8, also pre-authenticated RCE in Oracle Identity Manager – to the Known Exploited Vulnerabilities catalogue with evidence of active exploitation in the wild. SANS Internet Storm Center analysis of honeypot logs documented active HTTP POST attempts against the Oracle Identity Manager endpoint associated with that CVE.
CVE-2026-21992 follows the same attack surface. Oracle has stated it is not aware of active exploitation at this time, but given how quickly CVE-2025-61757 moved from patch to active exploitation, waiting is not a defensible position.
What to Do
Apply the patch. Oracle’s advisory is at oracle.com/security-alerts/alert-cve-2026-21992.html and references the Fusion Middleware patch document KB878741. Identity Manager sits at the centre of your authentication and access provisioning infrastructure – a full takeover there means an attacker can provision or revoke access to anything it manages.
If patching is not immediately possible, restrict network access to Oracle Identity Manager and Web Services Manager endpoints at the perimeter. HTTP-accessible instances exposed to untrusted networks are highest priority.
Oracle’s quarterly CPU cycle exists because their patch backlog is always substantial. When they break from that cycle, pay attention. This is one of those times.