CVE-2026-34286 - Vulnerability Details

- Remote Unauthenticated Data Manipulation in Oracle Identity Manager Connector

Description

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Published: 2026-04-21

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Oracle Identity Manager Connector is vulnerable to an unauthenticated remote attack that allows an attacker with network access via HTTPS to create, delete, or modify critical data. This flaw results in complete loss of confidentiality and integrity of the data managed by the connector, as the attacker can alter or remove data without requiring any credentials.

Affected Systems

The affected system is the Oracle Identity Manager Connector from Oracle Corporation, specifically version 12.2.1.4.0 of the product.

Risk and Exploitability

The vulnerability has a CVSS 3.1 base score of 9.1, indicating a high severity. The attack vector is network-based over HTTPS, with low complexity and no authentication required, making it highly likely to be exploited by unauthenticated attackers. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the combination of high CVSS and easy exploitation path results in a significant risk to any environment exposing the connector over the network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Identity Manager Connector

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Identity Manager Connector

90%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch or upgrade to a version that fixes CVE-2026-34286.
Restrict external HTTPS access to the Oracle Identity Manager Connector, allowing only trusted IP ranges or VPN connections.
Audit system logs for unauthorized creation, deletion or modification activity and investigate any anomalies promptly.

Generated by OpenCVE AI on April 22, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Title		Remote Unauthenticated Data Manipulation in Oracle Identity Manager Connector
Weaknesses		CWE-284 CWE-306

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
First Time appeared		Oracle Oracle identity Manager Connector
CPEs		cpe:2.3:a:oracle:identity_manager_connector:12.2.1.4.0:::::::*
Vendors & Products		Oracle Oracle identity Manager Connector
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Oracle Identity Manager Connector

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:23.712Z

Updated: 2026-04-22T14:19:20.931Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34286

Vulnrichment

Updated: 2026-04-22T14:19:17.974Z

NVD

Status : Awaiting Analysis

Published: 2026-04-21T21:16:33.277

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-34286

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object