Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker with low privileges and network access via HTTP to take control of Oracle Identity Manager. The weakness is a missing or incorrect permission check (CWE-306). Successful exploitation would grant the attacker full compromise of the system, resulting in loss of confidentiality, integrity, and availability of the managed identities and related services.

Affected Systems

Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are affected.

Risk and Exploitability

The CVSS 3.1 base score of 8.8 denotes a high severity. The EPSS score of <1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA KEV. Attackers would need to reach the Identity Manager REST WebServices over HTTP, so the threat is primarily remote and requires network connectivity to the affected service. Once accessed, the attacker could take over the application and its underlying resources.

Generated by OpenCVE AI on June 19, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for Identity Manager 12.2.1.4.0 and 14.1.2.1.0, which corrects access control and privilege checks associated with CWE-306.
  • Restrict access to the Identity Manager REST WebServices by firewalling or VPNing the IP ranges that require access, enforcing proper authentication and authorization as per CWE-306.
  • If the REST WebServices feature is not required, disable or isolate it; otherwise configure strict authentication and authorization controls to mitigate CWE-306 vulnerabilities.

Generated by OpenCVE AI on June 19, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Low-Privilege Exploitation of Oracle Identity Manager REST WebServices Access Control

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Low-Privilege Takeover via REST WebServices in Oracle Identity Manager
Weaknesses CWE-284
CWE-862

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege Takeover via REST WebServices in Oracle Identity Manager
Weaknesses CWE-284
CWE-306
CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:26.002Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35267

cve-icon Vulnrichment

Updated: 2026-06-17T14:23:53.061Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T02:00:10Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function