CVE-2026-34294 - Vulnerability Details

- Unauthorized Data Modification via LDAP in Oracle Identity Manager Connector

Description

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Microsoft Active Directory). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized read access to a subset of Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N).

Published: 2026-04-21

Score: 5.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Oracle Identity Manager Connector version 12.2.1.4.0 contains an improper access control flaw that enables a low‑privileged attacker who can reach the LDAP service to create, delete, or modify critical data stored by the connector. The vulnerability also allows unauthorized read access to a subset of the connector's data. While it does not provide code execution capabilities, it compromises data confidentiality and integrity by permitting unauthorized data alteration.

Affected Systems

Oracle Corporation’s Oracle Identity Manager Connector, 12.2.1.4.0.

Risk and Exploitability

The flaw has a CVSS v3.1 base score of 5.9 and no EPSS score is available. It is not currently listed in CISA’s KEV catalog. Exploitation requires network access to the LDAP service and a low‑privileged account. The attack vector is remote over the network, with high attack complexity, low privileges, and no user interaction, resulting in a moderate risk level. An adversary exploiting this vulnerability could gain unauthorized access to sensitive data and perform data modification operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Identity Manager Connector

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Identity Manager Connector

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle Identity Manager Connector to the patched version released in Oracle CPU Apr 2026.
Restrict network access to the LDAP service so that only trusted hosts can communicate with the connector.
Enforce strict role‑based access control, ensuring that only authorized users can create, modify, or delete data, and monitor these operations for anomalies.

Generated by OpenCVE AI on April 22, 2026 at 05:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Title		Unauthorized Data Modification via LDAP in Oracle Identity Manager Connector
Weaknesses		CWE-284 CWE-286

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Microsoft Active Directory). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized read access to a subset of Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N).
First Time appeared		Oracle Oracle identity Manager Connector
CPEs		cpe:2.3:a:oracle:identity_manager_connector:12.2.1.4.0:::::::*
Vendors & Products		Oracle Oracle identity Manager Connector
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}`

Subscriptions

Oracle Identity Manager Connector

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:28.127Z

Updated: 2026-04-21T20:35:28.127Z

Reserved: 2026-03-26T19:48:45.677Z

Link: CVE-2026-34294

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:34.350

Modified: 2026-04-21T21:16:34.350

Link: CVE-2026-34294

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object