Home / Vulnerability Intelligence / CVE-2026-21992

CVE-2026-21992 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 20, 2026

Oracle Identity Manager - Remote Code Execution

Published: March 20, 2026Updated: March 20, 2026PoC AvailableRemote Exploitable

Overview

Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 contain a remote code execution vulnerability in REST WebServices and Web Services Security components, letting unauthenticated network attackers fully compromise the system, exploit requires network access via HTTP.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 5.8%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can fully compromise Oracle Identity Manager and Oracle Web Services Manager, leading to complete system takeover.

Mitigation

Update to the latest available version.

References

https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

Social Media Activity(1 post)

Jeff Hall - PCIGuru :verified:

@jbhall56

Mar 24, 2026

CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. https://www.securityweek.com/oracle-releases-emergency-patch-for-critical-identity-manager-vulnerability/

View original post

Related Resources

Details

CVE ID: CVE-2026-21992
Severity: Critical
CVSS Score: 9.8
Type: undefined
Status: unconfirmed
EPSS: 5.8%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.8%Probability of exploitation in the next 30 days