Oracle has released urgent security updates to fix CVE-2026-21992, a critical 9.8 CVSS flaw in Identity Manager and Web Services Manager that allows remote code execution without authentication.
Oracle has issued critical security updates to address CVE-2026-21992, a severe vulnerability in its Identity Manager and Web Services Manager products that enables unauthenticated remote code execution. The flaw, which carries a CVSS score of 9.8 out of 10.0, affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
According to Oracle's security advisory, the vulnerability is "remotely exploitable without authentication," meaning attackers can compromise vulnerable systems without needing valid credentials. The National Vulnerability Database (NVD) describes the flaw as "easily exploitable" and notes that an unauthenticated attacker with network access via HTTP could potentially take complete control of affected instances.
This critical patch comes amid growing concerns about Oracle product vulnerabilities. In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757, another pre-authenticated remote code execution flaw in Oracle Identity Manager with a 9.8 CVSS score, to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation in the wild.
While Oracle has not reported any active exploitation of CVE-2026-21992, the company strongly recommends that customers apply the security updates immediately. The severity of the vulnerability and its potential for complete system compromise make timely patching essential for organizations using affected Oracle products.
Organizations running Oracle Identity Manager or Web Services Manager should verify their versions and apply the necessary updates as soon as possible. This incident underscores the critical importance of maintaining current security patches, particularly for enterprise identity and access management systems that serve as gateways to sensitive organizational resources.
For more information on the affected products and patching procedures, organizations should consult Oracle's official security advisory and follow their recommended mitigation steps.
Comments
Please log in or register to join the discussion