Oracle has issued an out-of-band security advisory for CVE-2026-21992, a critical unauthenticated remote code execution (RCE) vulnerability. This flaw affects Oracle Identity Manager and Oracle Web Services Manager, both vital components for enterprise identity and access management.
With a CVSS score of 9.8, the vulnerability is characterized by its low complexity and exploitability over HTTP without requiring user interaction. Oracle strongly advises administrators to apply the patches immediately to mitigate the risk of exploitation on internet-exposed servers.
While Oracle has not confirmed active exploitation, the release of an out-of-schedule fix under its Security Alert program underscores the severity. The update is available for versions under Premier or Extended Support, specifically impacting versions 12.2.1.4.0 and 14.1.2.1.0.
Top comments (0)