CVE-2026-34286
Published: 21 April 2026
Summary
CVE-2026-34286 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Identity Manager Connector. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the missing authentication flaw in CVE-2026-34286 by applying Oracle Critical Patch Update patches to prevent exploitation.
Enforces approved authorizations to block unauthorized creation, deletion, modification, and access to critical data enabled by this unauthenticated vulnerability.
Monitors and controls network communications at boundaries to restrict unauthenticated HTTPS access to the vulnerable Oracle Identity Manager Connector.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication flaw (CWE-306) in a network-accessible Oracle Identity Manager Connector component, directly enabling unauthenticated remote exploitation of a public-facing application over HTTPS for initial access and data manipulation.
NVD Description
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful…
more
attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2026-34286 is a vulnerability in the Core component of the Oracle Identity Manager Connector product within Oracle Fusion Middleware. The supported version affected is 12.2.1.4.0. Published on 2026-04-21, it is classified under CWE-306 and carries a CVSS 3.1 base score of 9.1, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impacts but no availability impact.
An unauthenticated attacker with network access via HTTPS can easily exploit this vulnerability to compromise the Oracle Identity Manager Connector. Successful attacks enable unauthorized creation, deletion, or modification of critical data or all Oracle Identity Manager Connector accessible data, as well as unauthorized access to critical data or complete access to all such data.
Oracle's Critical Patch Update for April 2026 provides information on mitigation and patches for this vulnerability, detailed at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)