CVE-2026-21992
Oracle Identity Manager (OIM) is an identity governance platform that automates user lifecycle management across applications and systems. Oracle Web Services Manager (OWSM), installed with an Oracle Fusion Middleware Infrastructure, provides a policy-driven framework for consistently managing and securing web services across the organization. CVE-2026-21992 affects both the REST WebServices component of OIM and the Web Services Security components of OWSM. This vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Although this patch was released outside the regular update cycle, the vendor did not report any active exploitation in the wild.
EPSS 0.07% · 20.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Oracle Identity Manager and Oracle Web Services Manager |
Timeline
- Mar 20, 2026 CVE Published
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 21, 2026 PoC Published