CVE-2026-34287
Published: 21 April 2026
Summary
CVE-2026-34287 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Identity Manager Connector. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper access control flaw in Oracle Identity Manager Connector Core by requiring timely application of vendor patches from the Critical Patch Update advisory.
Enforces approved authorizations for logical access, preventing unauthenticated attackers from gaining unauthorized create, delete, modify, or read access to critical data.
Controls communications at external interfaces via HTTPS, limiting network access to the vulnerable component and reducing exploitation opportunities for unauthenticated remote attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote access control flaw in a publicly accessible HTTPS component of Oracle Identity Manager Connector, directly enabling exploitation of a public-facing application to achieve data access and manipulation.
NVD Description
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful…
more
attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2026-34287 is a vulnerability in the Core component of the Oracle Identity Manager Connector product within Oracle Fusion Middleware. The supported version affected is 12.2.1.4.0. This easily exploitable issue carries a CVSS 3.1 Base Score of 9.1, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impacts but no availability impact. It is associated with CWE-284 (Improper Access Control).
An unauthenticated attacker with network access via HTTPS can exploit this vulnerability to compromise the Oracle Identity Manager Connector. Successful exploitation enables unauthorized creation, deletion, or modification of critical data or all data accessible to the connector, as well as unauthorized access to critical data or complete access to all connector-accessible data.
The Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html provides details on mitigation, including recommended patches for the affected version. Security practitioners should review and apply these updates promptly to address the vulnerability.
Details
- CWE(s)