CVE-2026-34289 - Vulnerability Details

- Unauthenticated HTTPS Access Enables Unauthorized Data Compromise in Oracle Identity Manager Connector

Description

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Published: 2026-04-21

Score: 5.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Oracle Identity Manager Connector contains a vulnerability that allows an unauthenticated attacker with network connectivity to the HTTPS interface to compromise the system. An attacker can read all data exposed by the connector, resulting in a confidentiality breach. The CVSS 3.1 base score of 5.9 indicates a moderate impact, with no direct integrity or availability effects reported.

Affected Systems

The affected product is Oracle’s Identity Manager Connector, version 12.2.1.4.0, part of Oracle Fusion Middleware Core. Only this specific release is listed as vulnerable, and no other versions were mentioned.

Risk and Exploitability

The risk is moderate, reflected in a CVSS score of 5.9, and the EPSS score is unavailable, so the quantitative likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. The attack requires network access over HTTPS and no authentication. While exploitation is described as difficult, the potential for unauthorized data exposure exists, especially in environments where the connector is exposed to the public network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Identity Manager Connector

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Identity Manager Connector

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Inventory all Oracle Identity Manager Connector installations and verify that each is running version 12.2.1.4.0 or later.
Apply the latest Oracle patch or update that addresses this vulnerability as soon as it becomes available.
Restrict HTTPS access to the connector, limiting connections to trusted administrators or internal networks and block all unauthenticated requests through firewall or network segmentation.

Generated by OpenCVE AI on April 22, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated HTTPS Access Enables Unauthorized Data Compromise in Oracle Identity Manager Connector
Weaknesses		CWE-284 CWE-287

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared		Oracle Oracle identity Manager Connector
CPEs		cpe:2.3:a:oracle:identity_manager_connector:12.2.1.4.0:::::::*
Vendors & Products		Oracle Oracle identity Manager Connector
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Oracle Identity Manager Connector

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:25.243Z

Updated: 2026-04-21T20:35:25.243Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34289

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:33.687

Modified: 2026-04-21T21:16:33.687

Link: CVE-2026-34289

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T02:45:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object