English
EN
Français
FR
Language
English
EN
Français
FR

CVE Vulnerabilities

Posts & Pages

No results found for ""

Try different keywords or check spelling

Search in CVE database, posts & pages • Press ESC to close

DNA View

Critical Severity Vulnerability

This vulnerability has been rated as Critical severity. Immediate action is recommended.

CVE-2026-21992

Critical
Low Medium High Critical
9.8
CVSS Score
Published: Mar 20, 2026
Last Modified: Mar 23, 2026
CWE: CWE-306

Vulnerability Description

Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H

Known Affected Software

4 configuration(s) from 1 vendor(s)

identity_manager
Version:
14.1.2.1.0
CPE:
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
identity_manager
Version:
12.2.1.4.0
CPE:
cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
web_services_manager
Version:
12.2.1.4.0
CPE:
cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:*
web_services_manager
Version:
14.1.2.1.0
CPE:
cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:*
This vulnerability affects 4 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

9.8
out of 10.0
Critical

Weakness Type (CWE)

CWE-306 Top 25 #16

Missing Authentication for Critical Function

Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Exploit Likelihood
High
Typical Severity
High
OWASP Top 10
A07:2021-Identification/Auth Failures
Abstraction Level
Base
View CWE Details on MITRE

Key Information

Published Date
March 20, 2026

External Resources

NIST
NIST NVD
National Vulnerability Database
MT
MITRE CVE
Official CVE record