Oracle has issued an out-of-band Security Alert addressing a critical remote code execution (RCE) vulnerability, CVE-2026-21992, affecting two widely deployed Fusion Middleware components, Oracle Identity Manager and Oracle Web Services Manager.
The vulnerability carries a CVSS 3.1 base score of 9.8, placing it among the most severe classifications in Oracle’s risk framework.
CVE-2026-21992 is an unauthenticated, remotely exploitable flaw that requires no user interaction or special privileges to exploit. The attack vector is network-based with low complexity, meaning a threat actor only needs HTTP access to an exposed endpoint to potentially trigger remote code execution.
Both the Confidentiality, Integrity, and Availability impact categories are rated High, indicating that a successful exploit could grant an attacker full control over the affected system.
In Oracle Identity Manager, the vulnerability resides in the REST Web Services component, while in Oracle Web Services Manager, the flaw exists within the Web Services Security module.
Oracle notes that Web Services Manager is typically installed alongside Oracle Fusion Middleware Infrastructure, expanding the potential attack surface across enterprise deployments.
Affected Versions
The vulnerability impacts the following product versions:
| Product | Affected Versions |
|---|---|
| Oracle Identity Manager | 12.2.1.4.0, 14.1.2.1.0 |
| Oracle Web Services Manager | 12.2.1.4.0, 14.1.2.1.0 |
Both affected versions fall under the Fusion Middleware patch track, with patch documentation available via Oracle’s Security Alert advisory page and My Oracle Support (Document ID KB878741).
A CVSS score of 9.8 with no authentication requirement makes this vulnerability particularly dangerous for organizations with internet-facing Oracle Fusion Middleware deployments.
Oracle Identity Manager is a widely used identity governance platform, and Oracle Web Services Manager handles security policy enforcement for web services both are critical infrastructure components in large enterprise and government environments. Exploitation of either could result in full system compromise, credential theft, or lateral movement across connected systems.
Oracle strongly urges all customers to apply the available patches immediately. The alert, initially released on March 19, 2026, received an updated revision on March 20, 2026, with an additional note from Oracle.
Organizations running unsupported versions of the affected products are advised to upgrade to a supported release, as patches are only provided for versions under Premier Support or Extended Support phases per Oracle’s Lifetime Support Policy.
Security teams should prioritize patching any externally accessible instances and review HTTP/HTTPS exposure of REST Web Services and Web Services Security endpoints until remediation is complete. Customers can reference the full risk matrix and verbose CVE details on Oracle’s official Security Alerts portal.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
