Description
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Confidentiality Breach
Action: Assess Impact
AI Analysis

Impact

Oracle Identity Manager Connector, part of Oracle Fusion Middleware, contains a flaw that permits unauthenticated HTTP requests to retrieve sensitive information. Successful exploitation enables an attacker to read all data exposed by the connector, resulting in a confidentiality compromise. The weakness is characterized as Improper Authentication (CWE-306) that leads to Information Exposure and is reflected in a CVSS 3.1 base score of 5.9 with impacts limited to confidentiality.

Affected Systems

Oracle Identity Manager Connector version 12.2.1.4.0 is affected. No other versions or products have been identified as impacted at this time.

Risk and Exploitability

The CVSS score of 5.9 ranks the vulnerability as moderate, with the exploit description noting that it is difficult to execute and the EPSS score of <1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread attacks have been reported. The likely attack vector involves an unauthenticated attacker sending HTTP requests from a network that can reach the connector. Successful use of the vulnerability results in unauthorized access to all data that the connector exposes.

Generated by OpenCVE AI on April 28, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Oracle’s official security advisory for CVE-2026-34288 to determine whether a patch or remediation is available and apply it if released.
  • Restrict outgoing HTTP traffic to the connector by configuring firewalls or network segmentation so that only trusted hosts can reach the service.
  • Disable or secure any default or unused accounts on the connector and enforce strong authentication and authorization controls.
  • Monitor access logs for anomalous HTTP requests and audit configuration changes to ensure no unauthorized access paths remain.

Generated by OpenCVE AI on April 28, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Enables Data Exposure in Oracle Identity Manager Connector

Mon, 27 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Data Retrieval in Oracle Identity Manager Connector
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Data Retrieval in Oracle Identity Manager Connector
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Unauthorized HTTP Access in Oracle Identity Manager Connector v12.2.1.4.0 Allows Data Compromise
Weaknesses CWE-284
CWE-287

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unauthorized HTTP Access in Oracle Identity Manager Connector v12.2.1.4.0 Allows Data Compromise
Weaknesses CWE-284
CWE-287

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle identity Manager Connector
CPEs cpe:2.3:a:oracle:identity_manager_connector:12.2.1.4.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager Connector
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Identity Manager Connector
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:50:18.464Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34288

cve-icon Vulnrichment

Updated: 2026-04-22T13:50:10.170Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:33.557

Modified: 2026-04-23T12:07:06.447

Link: CVE-2026-34288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses