Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle Identity Manager contains a flaw in its OIM Legacy UI component that allows an unauthenticated attacker to send specially crafted requests over the T3 or IIOP protocols, bypassing authentication and enabling complete compromise of the Identity Manager instance. The vulnerability results in loss of confidentiality, integrity, and availability, and represents an improper access control weakness (CWE‑306).

Affected Systems

The affected product is Oracle Corp’s Identity Manager, specifically versions 12.2.1.4.0 and 14.1.2.1.0. The bug resides in the OIM Legacy UI component of Oracle Fusion Middleware; no other vendors or products are listed in the CVE record.

Risk and Exploitability

With a CVSS v3.1 base score of 9.8, the flaw poses a high severity risk across all CIA categories. The EPSS score is less than 1%, indicating that while exploitation is straightforward, the likelihood of a real‑world attack remains low at present. Authentication is not required, so an attacker can hijack the Identity Manager over the network via T3 or IIOP and assume complete administrative control.

Generated by OpenCVE AI on June 19, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Oracle's website or security alerts for an available patch or update addressing CVE‑2026‑46807.
  • Restrict inbound T3 and IIOP traffic to Oracle Identity Manager servers to trusted IP addresses only, for example using firewall or network ACLs.
  • Disable or remove legacy UI features if they are not required, or move to an updated UI component that is not affected.

Generated by OpenCVE AI on June 19, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Takeover via T3/IIOP in Oracle Identity Manager OIM Legacy UI

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Exploit Enables Full Compromise of Oracle Identity Manager
Weaknesses CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Exploit Enables Full Compromise of Oracle Identity Manager
Weaknesses CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:56:10.759Z

Reserved: 2026-05-18T15:55:10.300Z

Link: CVE-2026-46807

cve-icon Vulnrichment

Updated: 2026-06-17T15:19:28.179Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:45:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function