Cyber Resilience

CVE-2026-34286

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0041 32.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34286 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Identity Manager Connector. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34286 is a vulnerability in the Core component of the Oracle Identity Manager Connector product within Oracle Fusion Middleware. The supported version affected is 12.2.1.4.0. Published on 2026-04-21, it is classified under CWE-306 and carries a CVSS 3.1 base score of 9.1, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impacts but no availability impact.

An unauthenticated attacker with network access via HTTPS can easily exploit this vulnerability to compromise the Oracle Identity Manager Connector. Successful attacks enable unauthorized creation, deletion, or modification of critical data or all Oracle Identity Manager Connector accessible data, as well as unauthorized access to critical data or complete access to all such data.

Oracle's Critical Patch Update for April 2026 provides information on mitigation and patches for this vulnerability, detailed at https://www.oracle.com/security-alerts/cpuapr2026.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful…

more

attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authentication flaw (CWE-306) in a network-accessible Oracle Identity Manager Connector component, directly enabling unauthenticated remote exploitation of a public-facing application over HTTPS for initial access and data manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34285Same product: Oracle Identity Manager Connector
CVE-2026-34287Same product: Oracle Identity Manager Connector
CVE-2025-61757Same vendor: Oracle
CVE-2026-21992Same vendor: Oracle
CVE-2025-21515Same vendor: Oracle
CVE-2025-21535Same vendor: Oracle
CVE-2026-34275Same vendor: Oracle
CVE-2025-53072Same vendor: Oracle
CVE-2025-21524Same vendor: Oracle
CVE-2026-34279Same vendor: Oracle

Affected Assets

oracle
identity manager connector
12.2.1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the missing authentication flaw in CVE-2026-34286 by applying Oracle Critical Patch Update patches to prevent exploitation.

prevent

Enforces approved authorizations to block unauthorized creation, deletion, modification, and access to critical data enabled by this unauthenticated vulnerability.

prevent

Monitors and controls network communications at boundaries to restrict unauthenticated HTTPS access to the vulnerable Oracle Identity Manager Connector.

References