Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: End User Self Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Identity Manager accessible data as well as unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the End User Self Service component of Oracle Identity Manager. An attacker without authentication who can reach the system via IIOP may exploit the flaw to perform unauthorized insert, update, or delete operations and to read restricted data. The resulting confidentiality and integrity impact is reflected in a CVSS‑3.1 Base Score of 6.5, indicating moderate severity.

Affected Systems

Oracle Corporation Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are affected.

Risk and Exploitability

The flaw is exploitable over the network through the IIOP protocol and requires no user credentials, giving the attacker full control over certain data within Identity Manager. The EPSS score of less than 1% suggests a low probability of exploitation observed to date, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the attack permits data modification and disclosure, it warrants prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for Identity Manager that addresses the End User Self Service vulnerability, as detailed in the Oracle security advisory.
  • Restrict IIOP network traffic to trusted hosts only by configuring firewalls or intrusion prevention systems.
  • Disable or isolate the End User Self Service feature if it is not required for business operations.

Generated by OpenCVE AI on June 17, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: End User Self Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Identity Manager accessible data as well as unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:22:15.026Z

Reserved: 2026-05-18T15:55:10.301Z

Link: CVE-2026-46810

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses

No weakness.