Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager

- 3 mins read

Commissioned, Curated and Published by Russ. Researched and written with AI.

What’s New

DateUpdate
24 Mar 2026Oracle issued the patch on March 19 as an out-of-band Security Alert, bypassing the next scheduled quarterly Critical Patch Update in April 2026.

Changelog

DateSummary
24 Mar 2026Initial publication.

The Vulnerability

On March 19, Oracle released an emergency security patch for CVE-2026-21992, a critical remote code execution vulnerability with a CVSS v3.1 score of 9.8 out of 10. The flaw affects two Oracle Fusion Middleware products:

  • Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0
  • Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

The root cause is missing authentication for a critical function. In Oracle Identity Manager the vulnerable component is REST WebServices. In Oracle Web Services Manager it is the Web Services Security component. An unauthenticated attacker with network access via HTTP can exploit the flaw to achieve full remote code execution with no user interaction required.

That is about as bad as a vulnerability description gets.

Why This One Gets Special Treatment

Oracle does not break from its quarterly CPU cycle lightly. The fact that CVE-2026-21992 warranted an out-of-band Security Alert – the first for Oracle Identity Manager since CVE-2017-10151, a CVSS 10.0 default credential issue – tells you how Oracle is evaluating the risk.

The likely context: in November 2025, CISA added CVE-2025-61757 to its Known Exploited Vulnerabilities catalog. That vulnerability affected the same product, the same component (REST WebServices in Oracle Identity Manager), and the same versions. Searchlight Cyber researchers described it as an authentication bypass that was “somewhat trivial and easily exploitable.” Oracle patched it in the October 2025 CPU. CISA flagged active exploitation the following month.

CVE-2026-21992 hits the same surface. Oracle has not confirmed whether the two vulnerabilities are related, but the pattern is hard to ignore. Attackers already have tooling and knowledge of this component from CVE-2025-61757. A second unauthenticated RCE in the same area is not going to sit unnoticed for long.

What Oracle Identity Manager and Web Services Manager Actually Do

Oracle Identity Manager handles provisioning, managing, and deprovisioning users, roles, and access rights across enterprise systems. It is the thing that decides who has access to what. Oracle Web Services Manager sits in front of APIs within a Fusion Middleware deployment, enforcing security policy on web service traffic.

Both products are typically deployed in enterprise environments where they have broad access to downstream systems. Code execution on either is not a contained incident. It is a pivot point into user directories, access control systems, and anything those systems talk to.

How to Respond

Patch immediately. Oracle has published patch availability documentation for Fusion Middleware through its Security Alert advisory at oracle.com/security-alerts/alert-cve-2026-21992.html. The advisory includes links to the Patch Availability Document with installation instructions for each affected version.

If you are running versions older than 12.2.1.4.0 or 14.1.2.1.0, Oracle notes those are unsupported and recommends upgrading to a supported version before applying the patch. Unsupported versions are likely affected but will not receive a fix.

Until patching is complete, evaluate whether REST WebServices and Web Services Security endpoints are exposed beyond their intended network boundaries. Neither component needs to be internet-facing. If they are, that exposure should be treated as an immediate incident response item regardless of patch status.

No public PoC is available as of March 24. That window will not stay open indefinitely. CVE-2025-61757 went from patch to CISA KEV in under two months. Plan accordingly.

References