CVE-2026-34285
Published: 21 April 2026
Summary
CVE-2026-34285 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Identity Manager Connector. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely identification, reporting, and patching of flaws as provided in the Oracle Critical Patch Update advisory.
Limits critical functions like data creation, deletion, modification, and access that can be performed without identification or authentication, addressing CWE-306 missing authentication.
Controls and monitors network communications at external interfaces to block or identify unauthenticated HTTPS access to the vulnerable connector.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication for critical function (CWE-306) in a network-accessible Oracle Identity Manager Connector component exposed via HTTPS, directly enabling unauthenticated remote exploitation to access and manipulate critical data.
NVD Description
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful…
more
attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2026-34285 is a vulnerability in the Core component of the Oracle Identity Manager Connector product within Oracle Fusion Middleware. The supported version affected is 12.2.1.4.0. This easily exploitable issue carries a CVSS 3.1 base score of 9.1, with impacts to confidentiality and integrity but no availability impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). It is associated with CWE-306 (Missing Authentication for Critical Function).
An unauthenticated attacker with network access via HTTPS can exploit this vulnerability to compromise the Oracle Identity Manager Connector. Successful attacks enable unauthorized creation, deletion, or modification of critical data or all Oracle Identity Manager Connector accessible data, as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data.
The Oracle Critical Patch Update advisory provides details on mitigation and patches: https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)