Oracle has issued a Security Alert regarding a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager. The vulnerability, designated as CVE-2026-21992, allows remote code execution without requiring an attacker to authenticate. This makes the vulnerability one of the most severe categories within enterprise software.
The vulnerability has a CVSS score of 9.8 and, according to Oracle, is easy to exploit via network access. No user interaction is required, and attackers do not need valid login credentials to carry out an attack. Successful exploitation could lead to complete compromise of systems, putting confidentiality, integrity, and availability at risk.
Oracle has chosen to release the patch outside the regular update cycle. Such out-of-band updates are typically deployed only when there is an exceptionally high risk or when rapid mitigation is necessary. In the accompanying advisory, the company strongly urges customers to apply the available updates as soon as possible.
The vulnerability affects Oracle Identity Manager and Oracle Web Services Manager in versions 12.2.1.4.0 and 14.1.2.1.0. Both products are part of the Fusion Middleware stack and are widely used in large organizations for identity management and securing web services. Because the vulnerability resides in web-related components and can be exploited via HTTP, systems that are externally accessible are at particularly high risk.
Oracle remains silent on exploitation
International media outlets, including BleepingComputer, report that Oracle is not commenting on whether the vulnerability is already being actively exploited. The company has declined requests for comment on this matter. This means organizations must act without clarity regarding potential exploitation in the wild, which further underscores the urgency of patching.
Oracle also notes that patches are only made available for versions covered by Premier Support or Extended Support. Older versions are not tested, but it is likely that they are also vulnerable. Organizations still running such versions are advised to upgrade to a supported release as soon as possible.
The combination of a very high severity score, the lack of authentication, and the possibility of remote code execution makes CVE-2026-21992 an immediate risk for organizations using the affected software. Oracle emphasizes that timely installation of security updates remains essential to protect systems against potential attacks.