Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)

Oracle has released an out-of-band patch for a critical and easily exploitable vulnerability (CVE-2026-21992) in Oracle Identity Manager and Oracle Web Services Manager.

Oracle CVE-2026-21992

The company did not say whether the vulnerability has been exploited as a zero-day, but has urged customers to apply the updates or provided mitigations as soon as possible.

About CVE-2026-21992

CVE-2026-21992 is caused by missing authentication for a critical function.

In Oracle Identity Manager – a solution for provisioning, managing and deprovisioning users, roles, and access rights – CVE-2026-21992 affects the REST WebServices component.

In Oracle Web Services Manager, which is installed with an Oracle Fusion Middleware Infrastructure and is used for guarding the security of web services (APIs), CVE-2026-21992 affects the Web Services Security component.

In both cases, the vulnerability can be exploited by unauthenticated attackers over HTTP and HTTPS, to achieve remote code execution on vulnerable systems and take them over. No user interaction is needed for successful exploitation.

CVE-2026-21992 affects Oracle Identity Manager and Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0. Earlier, (now) unsupported versions are likely affected as well.

“As a result, Oracle recommends that customers upgrade to supported versions,” the company said.

Vulnerability mirrors actively exploited predecessor

In November 2025, a vulnerability in Oracle Identity Manager similar to CVE-2026-21992 was added by CISA to its Known Exploited Vulnerabilities catalog.

CVE-2025-61757 also stemmed from missing authentication for a critical function and was patched by Oracle in October 2025.

Assetnote / Searchlight Cyber researchers were credited with reporting it. They released a detailed techical write-up about it the day before CISA flagged the vulnerability as actively exploited.

It’s possible this report helped Oracle, other researchers, or even malicious attackers unearth CVE-2026-21992.

Whatever the case turns out to be, organizations using either or both solutions should apply the patch quickly.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss