Oracle has sent out an out-of-band Security Alert about a serious remote code execution (RCE) vulnerability, CVE-2026-21992, that affects two widely used Fusion Middleware components: Oracle Identity Manager and Oracle Web Services Manager. The CVSS 3.1 base score for the vulnerability is 9.8, which puts it in the highest risk category in Oracle's risk framework. Find out more about protecting yourself from identity theft.
CVE-2026-21992 is an unauthenticated, remotely exploitable flaw that doesn't need any user interaction or special permissions to be used. The attack vector is network-based and not very complicated. This means that a threat actor only needs HTTP access to an exposed endpoint to possibly start remote code execution.
The Confidentiality, Integrity, and Availability impact categories are both rated High. This means that if an attacker successfully exploits the system, they could take complete control of it. In Oracle Identity Manager, the flaw is in the REST Web Services part, and in Oracle Web Services Manager, the flaw is in the Web Services Security module.
Oracle says that Web Services Manager is usually installed with Oracle Fusion Middleware Infrastructure, which makes the attack surface bigger for enterprise deployments.
Versions that are affected The following versions of the product are affected by the vulnerability: Versions of Product Affected Oracle Identity Manager 14.1.0, 12.2.1.4.02.1.0 Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0 The Fusion Middleware patch track includes both affected versions. You can find patch documentation on Oracle's Security Alert advisory page and My Oracle Support (Document ID KB878741). This vulnerability is especially dangerous for businesses that have Oracle Fusion Middleware deployments on the internet because it has a CVSS score of 9.8 and doesn't require authentication.
Find out more Database of software vulnerabilities Training for security awareness Assessment of attack vulnerability Oracle Identity Manager is a popular platform for managing identities, and Oracle Web Services Manager is in charge of enforcing security policies for web services. Both are important parts of the infrastructure in big businesses and government offices.
Taking advantage of either could lead to a full system compromise, credential theft, or lateral movement across connected systems. Oracle strongly urges all of its customers to install the patches as soon as possible. The alert, which was first sent out on March 19, 2026, got an update on March 20, 2026, with an extra note from Oracle.
According to Oracle's Lifetime Support Policy, patches are only available for versions that are in the Premier Support or Extended Support phases. Organizations that are using unsupported versions of the affected products should upgrade to a supported release. Security teams should make patching any instances that are accessible from the outside a top priority. They should also check the HTTP/HTTPS exposure of REST Web Services and Web Services Security endpoints until the problem is fixed.
Customers can find the full risk matrix and detailed CVE information on Oracle's official Security Alerts portal. They can also follow Oracle on LinkedIn and X for daily updates on cybersecurity. Get in touch with us to have your stories featured.
