Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Oracle Fusion Middleware Identity Manager. An attacker who owns a low‑privileged account and can reach the application over HTTP can exploit the flaw to compromise the entire Identity Manager installation, resulting in loss of confidentiality, integrity and availability of the system’s data and services.

Affected Systems

Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are affected. These releases are part of Oracle Fusion Middleware and are commonly deployed for role‑based access control and identity governance.

Risk and Exploitability

The flaw has a CVSS v3.1 score of 8.8 and an EPSS score of less than 1 %, indicating a very low but non‑zero probability of exploitation in practice. It is not listed in the CISA KEV catalog, but its high severity and network‑based attack surface make it a strong candidate for prioritised remediation. The likely attack vector is network‑based HTTP traffic, requiring only a low‑privileged account; the attack could be automated and does not require local code execution.

Generated by OpenCVE AI on June 18, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Oracle update or patch that addresses this vulnerability.
  • Restrict HTTP access to the Identity Manager endpoints to trusted networks such as internal firewalls or VPNs.
  • Review and tighten authentication and authorization configurations to ensure that only privileged accounts can perform administrative actions.

Generated by OpenCVE AI on June 18, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title HTTP-based low‑privilege attacks enable full takeover of Oracle Identity Manager

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Identity Manager Remote Code Execution Leading to Full System Compromise
Weaknesses CWE-269
CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Identity Manager Remote Code Execution Leading to Full System Compromise
Weaknesses CWE-269
CWE-285
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:23.846Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35265

cve-icon Vulnrichment

Updated: 2026-06-17T14:25:32.720Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:45:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function