Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker with low privileges and network access via HTTP to take control of Oracle Identity Manager. Successful exploitation would grant the attacker full compromise of the system, resulting in loss of confidentiality, integrity, and availability of the managed identities and related services.

Affected Systems

Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are affected.

Risk and Exploitability

The CVSS 3.1 base score of 8.8 denotes a high severity. The EPSS score of <1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA KEV. Attackers would need to reach the Identity Manager REST WebServices over HTTP, so the threat is primarily remote and requires network connectivity to the affected service. Once accessed, the attacker could take over the application and its underlying resources.

Generated by OpenCVE AI on June 17, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for Identity Manager 12.2.1.4.0 and 14.1.2.1.0 as released by Oracle.
  • Restrict access to the REST WebServices endpoints by firewalling or VPNing the IP ranges that require access, ensuring only trusted hosts can reach the service.
  • Disable or isolate the REST WebServices feature if not needed, or configure strict authentication and authorization controls around it.

Generated by OpenCVE AI on June 17, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:23:57.389Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35267

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

No weakness.