CVE-2026-21992
Published: 20 March 2026
Summary
CVE-2026-21992 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Identity Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly counters CWE-306 missing authentication for critical functions by restricting permitted actions without identification or authentication to only non-essential ones in the vulnerable REST WebServices and Web Services Security components.
Enforces approved access control policies to prevent unauthenticated network attackers from compromising Oracle Identity Manager and Web Services Manager via HTTP.
Requires timely remediation of the specific flaw in affected versions 12.2.1.4.0 and 14.1.2.1.0 to eliminate the unauthenticated takeover vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public-facing REST/Web Services components (CWE-306) directly enables remote unauthenticated exploitation over HTTP, matching T1190 for initial access and full component takeover.
NVD Description
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability…
more
allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-21992 is a critical vulnerability affecting the Oracle Identity Manager product of Oracle Fusion Middleware, specifically in the REST WebServices component, and the Oracle Web Services Manager product of Oracle Fusion Middleware, specifically in the Web Services Security component. Supported versions impacted include 12.2.1.4.0 and 14.1.2.1.0. The issue, associated with CWE-306 (Missing Authentication for Critical Function), carries a CVSS 3.1 Base Score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impacts on confidentiality, integrity, and availability. Note that Oracle Web Services Manager is installed alongside Oracle Fusion Middleware Infrastructure.
The vulnerability is easily exploitable by an unauthenticated attacker who has network access via HTTP. Successful exploitation allows the attacker to fully compromise Oracle Identity Manager and Oracle Web Services Manager, resulting in takeover of these components.
Oracle has published a security alert providing details on the vulnerability at https://www.oracle.com/security-alerts/alert-cve-2026-21992.html, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)