Commissioned, Curated and Published by Russ. Researched and written with AI.
Oracle shipped an out-of-band security alert last week for CVE-2026-21992, a critical remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager. CVSS score: 9.8 out of 10. No authentication required. Exploitable over HTTP.
This is as bad as it gets on paper.
What the vulnerability is
CVE-2026-21992 allows an unauthenticated attacker with network access via HTTP to compromise both Oracle Identity Manager and Oracle Web Services Manager. The NIST National Vulnerability Database describes it as “easily exploitable.” Successful exploitation can result in full takeover of affected instances.
The attack surface here matters. Oracle Identity Manager is an enterprise identity provisioning and governance platform – it manages who has access to what across an organisation’s systems. A complete compromise of IdM isn’t just a server takeover; it’s a foothold into access control for everything that system manages.
Affected versions
The patch covers:
- Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0
- Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0
If you’re running either product on either of those versions, you’re exposed.
The patch
Oracle released this as an out-of-band alert, meaning it didn’t wait for the next quarterly Critical Patch Update cycle. That alone signals how seriously Oracle is treating this. The patch is available via Oracle’s security alert advisory at oracle.com/security-alerts/alert-cve-2026-21992.html.
Oracle has urged customers to apply the update without delay.
Active exploitation
Oracle’s advisory makes no mention of exploitation in the wild. As of the time of writing, no public proof-of-concept code has been reported. That doesn’t mean the window stays open indefinitely – CVSS 9.8, unauthenticated, over HTTP, against a widely deployed identity product is exactly the kind of vulnerability that attracts attention quickly.
For context: in November 2025, CISA added CVE-2025-61757 – a separate pre-authenticated RCE flaw in Oracle Identity Manager, also scoring CVSS 9.8 – to its Known Exploited Vulnerabilities catalog after confirmed active exploitation. Oracle IdM has been a target before.
What to do
Patch now. The Oracle advisory has the patch documentation. If you’re running an affected version and patching immediately isn’t possible, treat network access to these systems as the control plane – restrict it aggressively at the network layer while you work toward patching.
Check with your vendor if you’re running Oracle IdM via a managed service or third-party deployment. The exposure is the same regardless of who manages the infrastructure.
There’s no workaround that substitutes for the patch here. An unauthenticated HTTP vector doesn’t offer much surface for compensating controls short of cutting off network access entirely.
Sources: The Hacker News | Oracle Security Alert Advisory | NIST NVD | BleepingComputer