VDB

CVE-2026-21992

CVE-2026-21992 PUBLISHED CVSS 9.800000190734863 CRITICAL

Oracle Identity Manager (OIM) is an identity governance platform that automates user lifecycle management across applications and systems. Oracle Web Services Manager (OWSM), installed with an Oracle Fusion Middleware Infrastructure, provides a policy-driven framework for consistently managing and securing web services across the organization. CVE-2026-21992 affects both the REST WebServices component of OIM and the Web Services Security components of OWSM. This vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Although this patch was released outside the regular update cycle, the vendor did not report any active exploitation in the wild.

EPSS 0.07% · 20.7th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.07%
20.7th percentile

Affected Products

VendorProductVersions
OracleOracle Identity Manager and Oracle Web Services Manager

Timeline

  • Mar 20, 2026 CVE Published
  • Mar 20, 2026 EPSS Score
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 20, 2026 PoC Published
  • Mar 21, 2026 EPSS Score
  • Mar 21, 2026 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›