Description
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Identity Console component of Oracle Identity Manager, enabling an attacker who can reach the system over HTTP to perform unauthorized create, update or delete operations as well as read a subset of protected data. The flaw is characterized by a lack of proper authentication enforcement and improper authorization checks, allowing a non‑authenticated attacker to manipulate data only after a human interaction from a third‑party user. The damage includes loss of data integrity and confidentiality for the affected datasets.

Affected Systems

Oracle Identity Manager version 12.2.1.4.0 and 14.1.2.0.0 are impacted. These releases are components of Oracle Fusion Middleware and provide identity and access management services for enterprise environments.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity with low confidentiality and integrity impacts. The vector states that the attack occurs over network as a non‑authenticated attacker, but a human interaction from a user other than the attacker is required to complete the exploit. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Since the flaw requires a third‑party interaction, the likelihood of a widespread automated exploitation is limited, but the potential for targeted attacks remains. Organizational defenses should focus on patching and network segmentation, given the moderate CVSS and the possibility of scope escalation.

Generated by OpenCVE AI on April 22, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle CPU April 2026 patch for Oracle Identity Manager 12.2.1.4.0 and 14.1.2.0.0, as disclosed in the Oracle CPU April 2026 advisory.
  • Restrict HTTP access to the Identity Console to trusted networks or VPN connections, effectively limiting exposure to unauthenticated users.
  • Monitor web logs for suspicious HTTP requests to the Identity Console and alert on repeated unauthorized access attempts.

Generated by OpenCVE AI on April 22, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-601
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T15:35:09.911Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34283

cve-icon Vulnrichment

Updated: 2026-04-22T15:35:05.616Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:32.823

Modified: 2026-04-22T16:16:54.140

Link: CVE-2026-34283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses