Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Identity Manager accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the REST WebServices component of Oracle Identity Manager. It permits an unauthenticated attacker to create, delete, or modify access to sensitive data exposed by the system. An successful exploitation results in unauthorized manipulation of critical data or full data exposure.

Affected Systems

Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are impacted. The flaw is present in the Fusion Middleware suite and any deployment that exposes the REST interface via HTTP to the public or internal network.

Risk and Exploitability

The CVSS 3.1 score of 7.5 indicates a medium to high risk to integrity. EPSS < 1% shows low likelihood of exploitation at present, and the vulnerability is not listed in KEV, but given the easy exploitation and the sensitivity of data, it is advisable to assume a long-term threat. Attackers likely require network access to the REST endpoint and no authentication to succeed.

Generated by OpenCVE AI on June 17, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle security patch for Identity Manager 12.2.1.4.0 and 14.1.2.1.0 that addresses the REST WebServices access control flaw.
  • Restrict network connectivity to the REST WebServices endpoint by configuring firewalls or VPN so only trusted hosts can reach the service.
  • Enable or enforce authentication on the REST API and disable any default or anonymous access to ensure only authorized users can invoke the service.

Generated by OpenCVE AI on June 17, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Identity Manager accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:16:37.227Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35269

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

No weakness.