Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle Identity Manager contains a flaw in its Legacy UI component that allows an unauthenticated attacker to send specially crafted requests over the T3 or IIOP protocols, bypassing authentication and enabling complete compromise of the Identity Manager instance. The vulnerability results in loss of confidentiality, integrity, and availability, and represents an improper access control weakness similar to CWE‑284.

Affected Systems

The affected product is Oracle Corporation’s Identity Manager, specifically versions 12.2.1.4.0 and 14.1.2.1.0. This issue resides in the OIM Legacy UI component of Oracle Fusion Middleware; no other vendors or products are listed in the CVE record.

Risk and Exploitability

With a CVSS v3.1 base score of 9.8, the flaw poses a high severity risk across all CIA categories. The EPSS score is less than 1%, indicating that while exploitation is straightforward, the likelihood of a real-world attack remains low at present. The vulnerability is not listed in the CISA KEV catalog. Authentication is not required, so an attacker can hijack the Identity Manager over the network via T3 or IIOP and assume complete administrative control.

Generated by OpenCVE AI on June 17, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for Identity Manager 12.2.1.4.0 and 14.1.2.1.0 that addresses CVE‑2026‑46807.
  • Restrict inbound T3 and IIOP traffic to Oracle Identity Manager servers to trusted IP addresses only, for example using firewall or network ACLs.
  • Disable or remove legacy UI features if they are not required, or move to an updated UI component that is not affected.

Generated by OpenCVE AI on June 17, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:19:32.332Z

Reserved: 2026-05-18T15:55:10.300Z

Link: CVE-2026-46807

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses

No weakness.