{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21992", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.717Z", "datePublished": "2026-03-20T02:24:16.080Z", "dateUpdated": "2026-03-20T02:24:16.080Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-03-20T02:24:16.080Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Identity Manager", "versions": [{"version": "12.2.1.4.0", "status": "affected", "versionType": "semver"}, {"version": "14.1.2.1.0", "status": "affected", "versionType": "semver"}]}, {"vendor": "Oracle Corporation", "product": "Oracle Web Services Manager", "versions": [{"version": "12.2.1.4.0", "status": "affected", "versionType": "semver"}, {"version": "14.1.2.1.0", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/alert-cve-2026-21992.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}], "id": "CVE-2026-21992", "lastModified": "2026-03-20T03:15:58.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-03-20T03:15:58.680", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/alert-cve-2026-21992.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "12.2.1.4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "14.1.2.1.0"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "original": {"product": "Oracle Identity Manager", "source": "cna", "vendor": "Oracle Corporation"}, "product": "identity_manager", "vendor": "oracle"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "12.2.1.4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "14.1.2.1.0"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 89.0, "source": "matching"}]}, "original": {"product": "Oracle Web Services Manager", "source": "cna", "vendor": "Oracle Corporation"}, "product": "web_services_manager", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-03-20T04:51:15.649942+00:00", "value": {"mitigation_remediation": ["Apply the Oracle security patch or upgrade to the latest fixed version as specified in the Oracle Security Alert at https://www.oracle.com/security-alerts/alert-cve-2026-21992.html.", "If a patch is not immediately available, restrict external access to the affected services by blocking or limiting HTTP traffic to trusted IP ranges.", "Continuously monitor system logs, authentication events, and network traffic for signs of unauthorized access or exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products are Oracle Identity Manager and Oracle Web Services Manager as referenced by the vendor alert. The versions impacted are 12.2.1.4.0 and 14.1.2.1.0 for both products. The corresponding CPE entries are cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:* , cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:* , cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:* , and cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:* .", "description_and_impact": "Key detail from vendor description: Oracle identifies an exploited vulnerability in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager. The flaw allows an unauthenticated attacker with network access via HTTP to compromise the systems, potentially leading to full takeover of the entire application. The weakness is an authentication bypass that can be mapped to a CWE classification. Based on the description, it is inferred that the vulnerability corresponds to improper authentication (CWE-287). The impact is loss of confidentiality, integrity, and availability, as reflected by a CVSS v3.1 Base Score of 9.8.", "risk_and_exploitability": "The CVSS score of 9.8 (Critical) indicates a high severity. The exploit requires only remote network connectivity over HTTP, with no authentication, no user interaction, and low attack complexity, as described. EPSS is not available, and the vulnerability is not listed in CISA KEV. Given the widespread network exposure, the risk of exploitation is high, and attackers could gain administrative control of the managed systems."}}}}, "created": "2026-03-20T08:53:04.497271+00:00", "title": "Unauthenticated Remote Takeover via REST API in Oracle Identity and Web Services Manager", "updated": "2026-03-20T10:37:48.631275+00:00", "vendors": ["oracle", "oracle$PRODUCT$identity_manager", "oracle$PRODUCT$web_services_manager"], "weaknesses": ["CWE-287", "CWE-20"]}