CVE-2026-34287 - Vulnerability Details

- Unauthenticated Remote Access Leading to Unauthorized Data Modification in Oracle Identity Manager Connector

Description

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Published: 2026-04-21

Score: 9.1 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Oracle Identity Manager Connector 12.2.1.4.0 contains an easily exploitable flaw that permits unauthenticated attackers to interact with its HTTPS interface. The vulnerability can allow the creation, deletion, or modification of access and data, as well as full read access to all data exposed by the connector. The CVSS v3.1 base score of 9.1 highlights severe confidentiality and integrity loss.

Affected Systems

The only version confirmed to be vulnerable is Oracle Identity Manager Connector 12.2.1.4.0, part of Oracle Fusion Middleware. No other versions or builds are listed in the data.

Risk and Exploitability

The high CVSS score, combined with a known unauthenticated network attack vector, indicates a high exploitation probability for environments that expose the Connector over HTTPS. Even though EPSS is not available and the vulnerability is not yet in the CISA KEV catalog, the ease of exploitation and the critical data impact call for immediate attention. Attackers can achieve unauthorized data manipulation or complete data exposure if the vulnerability is leveraged.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Identity Manager Connector

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Identity Manager Connector

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-supplied patch or upgrade to a non‑vulnerable version of Oracle Identity Manager Connector 12.2.1.4.0.
Until the patch is applied, block external HTTPS traffic to the Connector or limit it to trusted internal hosts, and enforce strong authentication on the interface.
Enable detailed logging and audit monitoring for creation, deletion, or modification of access and data, and review exception events regularly.

Generated by OpenCVE AI on April 22, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Remote Access Leading to Unauthorized Data Modification in Oracle Identity Manager Connector
Weaknesses		CWE-269 CWE-284 CWE-287

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
First Time appeared		Oracle Oracle identity Manager Connector
CPEs		cpe:2.3:a:oracle:identity_manager_connector:12.2.1.4.0:::::::*
Vendors & Products		Oracle Oracle identity Manager Connector
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Oracle Identity Manager Connector

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:24.273Z

Updated: 2026-04-21T20:35:24.273Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34287

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:33.417

Modified: 2026-04-21T21:16:33.417

Link: CVE-2026-34287

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object