Description
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-03-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and System Takeover
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager allows an unauthenticated attacker with network access via HTTP to compromise the applications. A successful exploit can lead to full takeover of the systems, exposing all managed data, and compromising confidentiality, integrity, and availability.

Affected Systems

The affected products are Oracle Identity Manager and Oracle Web Services Manager from Oracle Corporation. Versions 12.2.1.4.0 and 14.1.2.1.0 of each product are vulnerable. No other versions were listed.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 reflects critical severity. The EPSS score is below 1%%, but the attack requires only network access over HTTP and no authentication, making it highly exploitable in realistic scenarios. The vulnerability is not yet in CISA’s KEV catalog, yet the impact warrants urgent action. An attacker can target the exposed REST or Web Services Security endpoints from the network and achieve full control over the affected system.

Generated by OpenCVE AI on March 20, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch or upgrade to a non‑affected release as detailed in the Oracle advisory
  • Verify that the patch has been applied by checking the product version numbers
  • Restrict network access to the REST endpoints to trusted IP ranges
  • Ensure HTTPS is enabled for all communications to the affected components
  • Monitor system logs for abnormal access patterns

Generated by OpenCVE AI on March 20, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via HTTP in Oracle Identity Manager and Web Services Manager

Fri, 20 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Takeover via REST API in Oracle Identity and Web Services Manager
Weaknesses CWE-20
CWE-287

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Takeover via REST API in Oracle Identity and Web Services Manager
Weaknesses CWE-20
CWE-287

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
Oracle web Services Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
Oracle web Services Manager
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Identity Manager Web Services Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-03-24T03:55:56.892Z

Reserved: 2026-01-05T18:07:34.717Z

Link: CVE-2026-21992

cve-icon Vulnrichment

Updated: 2026-03-20T14:38:27.251Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:15:58.680

Modified: 2026-03-23T15:30:30.950

Link: CVE-2026-21992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:37Z

Weaknesses