CVE-2026-34290
Published: 21 April 2026
Summary
CVE-2026-34290 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Identity Manager Connector. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires applying the Oracle Critical Patch Update to directly fix the uncontrolled resource consumption vulnerability in the Identity Manager Connector.
Denial-of-service protection implements techniques to prevent and detect resource exhaustion attacks like the unauthenticated TCP-based DoS in this CVE.
Resource availability enforces limits on resource allocation to mitigate unauthorized consumption leading to hangs or crashes as exploited in this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation causing resource consumption leading to crash/hang and DoS, directly mapping to Application or System Exploitation under Endpoint Denial of Service.
NVD Description
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Identity Manager Connector. Successful…
more
attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Identity Manager Connector. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Deeper analysisAI
CVE-2026-34290 is a vulnerability in the Core component of the Oracle Identity Manager Connector product within Oracle Fusion Middleware. The supported version affected is 12.2.1.4.0. This issue, linked to CWE-400 (Uncontrolled Resource Consumption), carries a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with high availability impact but no confidentiality or integrity effects.
An unauthenticated attacker with network access via TCP can easily exploit this vulnerability to compromise the Oracle Identity Manager Connector. Successful exploitation enables the attacker to cause a hang or frequently repeatable crash, resulting in a complete denial of service (DoS) against the affected component.
The Oracle Critical Patch Update advisory provides details on mitigation and patches: https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)