{"uuid": "a718c241-f3e8-4cc6-b3dc-f71d5790b014", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager", "description": "# Oracle Security Alert Advisory - CVE-2026-21992\n\n\n### Description\n\nThis Security Alert addresses vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.\n\nOracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.\n\n### Affected Products and Patch Information\n\nThe security vulnerability addressed by this Security Alert affects the products listed below.\n\n**Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.**\n\n### Security Alert Supported Products and Versions\n\nPatches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the [Lifetime Support Policy](https://www.oracle.com/us/support/lifetime-support/index.html?ssSourceSiteId=otnen). Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.\n\nProduct releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.\n\nFusion Middleware products are patched in accordance with the Software Error Correction Support Policy explained in [My Oracle Support Note KB65129](https://support.oracle.com/support/?documentId=KB65129). Please review the [Technical Support Policies](https://www.oracle.com/us/support/policies/index.html?ssSourceSiteId=otnen) for further guidelines regarding support policies and phases of support.\n\n### References\n\n*   [Oracle Critical Patch Updates, Security Alerts and Bulletins](https://www.oracle.com/security-alerts)\n*   [Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions](https://www.oracle.com/security-alerts/cpufaq.html)\n*   [Risk Matrix Definitions](https://www.oracle.com/security-alerts/advisorymatrixglossary.html)\n*   [Use of Common Vulnerability Scoring System (CVSS) by Oracle](https://www.oracle.com/security-alerts/cvssscoringsystem.html)\n*   [English text version of the risk matrices](https://www.oracle.com/security-alerts/cve-2026-21992verbose.html)\n*   [CSAF JSON version of the risk matrices](https://www.oracle.com/docs/tech/security-alerts/cve-2026-21992csaf.json)\n*   [Map of CVE to Advisory/Alert](https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html)\n*   [Oracle Lifetime support Policy](https://www.oracle.com/support/lifetime-support/resources.html)\n*   [JEP 290 Reference Blocklist Filter](https://support.oracle.com/support/?kmContentId=2591118)\n\n### Risk Matrix Content\n\nRisk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in [previous Critical Patch Update advisories and Alerts](https://www.oracle.com/security-alerts). An English text version of the risk matrices provided in this document is [here](https://www.oracle.com/security-alerts/cve-2026-21992verbose.html).\n\nSecurity vulnerabilities are scored using CVSS version 3.1 (see [Oracle CVSS Scoring](https://www.oracle.com/security-alerts/cvssscoringsystem.html) for an explanation of how Oracle applies CVSS version 3.1).\n\nOracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see [Oracle vulnerability disclosure policies](https://www.oracle.com/us/support/assurance/disclosure-policies/index.html).\n\nThe protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the _only_ variant affected.\n\n\u00a0\n\n### Modification History\n\n\n|Date         |Note                   |\n|-------------|-----------------------|\n|2026-March-20|Rev 2. Added note.     |\n|2026-March-19|Rev 1. Initial Release.|\n\n\n  \n\u00a0\n\n#### Oracle Fusion Middleware Risk Matrix\n\nThis Security Alert contains 2 new security patches for Oracle Fusion Middleware.\u00a0 Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.\u00a0 The English text form of this Risk Matrix can be found [here.](about:/security-alerts/cve-2026-21992verbose.html#FMW)\n\n\n\n* CVE ID: BaseScore\n  * Product: AttackVector\n  * Component: AttackComplex\n  * Protocol: PrivsReq'd\n  * RemoteExploitwithoutAuth.?: UserInteract\n  * CVSS VERSION 3.1 RISK (see Risk Matrix Definitions): Scope\n  * Supported Versions Affected: Confid-entiality\n  * Notes: Inte-grity\n  * Avail-ability\n* CVE ID: CVE-2026-21992\n  * Product: Oracle Identity Manager\n  * Component: REST WebServices\n  * Protocol: HTTP\n  * RemoteExploitwithoutAuth.?: Yes\n  * CVSS VERSION 3.1 RISK (see Risk Matrix Definitions): 9.8\n  * Supported Versions Affected: Network\n  * Notes: Low\n  * None\n  * None\n  * Un-changed\n  * High\n  * High\n  * High\n  * 12.2.1.4.0, 14.1.2.1.0\n  * \u00a0\n* CVE ID: CVE-2026-21992\n  * Product: Oracle Web Services Manager\n  * Component: Web Services Security\n  * Protocol: HTTP\n  * RemoteExploitwithoutAuth.?: Yes\n  * CVSS VERSION 3.1 RISK (see Risk Matrix Definitions): 9.8\n  * Supported Versions Affected: Network\n  * Notes: Low\n  * None\n  * None\n  * Un-changed\n  * High\n  * High\n  * High\n  * 12.2.1.4.0, 14.1.2.1.0\n  * See Note\u00a01\n\n\n#### Notes:\n\n1.  Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure.", "creation_timestamp": "2026-03-23T16:16:00.111911+00:00", "timestamp": "2026-03-23T16:16:00.111911+00:00", "related_vulnerabilities": ["CVE-2026-21992"], "meta": [{"ref": ["https://www.oracle.com/security-alerts/alert-cve-2026-21992.html"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}