Oracle Identity Manager Pre-Auth RCE: CVE-2026-21992 Emergency Patch

Oracle broke its usual quarterly Critical Patch Update cadence on March 20, 2026, issuing an out-of-band security alert for CVE-2026-21992 — a pre-authentication remote code execution flaw in Oracle Identity Manager and Oracle Web Services Manager. A CVSS 9.8 vulnerability sitting inside your IAM layer, reachable by anyone on the network with no credentials required, is about as bad as it gets for enterprise infrastructure.

What’s Vulnerable

CVE-2026-21992 affects two products in the Oracle Fusion Middleware stack:

• Oracle Identity Manager (OIM) — the REST WebServices component
• Oracle Web Services Manager (OWSM) — the Web Services Security component

Both products are affected at versions 12.2.1.4.0 and 14.1.2.1.0. These are the currently supported long-term release lines, meaning this isn’t some obscure legacy version — this is what organizations running modern Oracle IAM deployments have installed today.

Root Cause: Missing Authentication on a Critical Function (CWE-306)

The vulnerability is classified under CWE-306: Missing Authentication for Critical Function. In plain terms, Oracle Identity Manager exposes REST WebServices endpoints that perform privileged or sensitive operations — but certain of those endpoints fail to require any authentication before processing incoming requests.

An unauthenticated attacker who can reach the OIM REST API over HTTP or HTTPS can invoke these unauthenticated endpoints, trigger the privileged code path, and achieve remote code execution on the underlying host. The CVSS vector tells the story clearly:

1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Network-accessible. Low attack complexity. No privileges required. No user interaction. Full compromise of confidentiality, integrity, and availability. Score: 9.8.

This isn’t an edge-case exploit chain requiring a dozen gadgets — it’s a direct call to an unguarded function.

Why IAM Is the Worst Place for This

Identity and Access Management platforms occupy an extraordinarily sensitive position in enterprise infrastructure. OIM is responsible for provisioning user accounts, managing role assignments, synchronizing credentials, and enforcing access policies across connected systems — which in large environments can span Active Directory, databases, cloud platforms, and dozens of enterprise applications.

Compromising OIM gives an attacker an elevated vantage point that’s hard to match elsewhere:

• Account provisioning: The attacker can create or modify accounts in any connected system OIM manages.
• Role escalation: Existing accounts can have privileged roles assigned without going through any approval workflow.
• Credential synchronization: Depending on the integration, the attacker may have visibility into or influence over credential stores.
• Audit trail manipulation: IAM platforms often log privileged access events — an attacker with full control of OIM could interfere with audit records.

The blast radius of RCE in OIM extends well beyond the server itself.

Historical Context: CVE-2025-61757

Oracle issued this emergency fix in direct context of a related predecessor: CVE-2025-61757, a vulnerability in the same Oracle Identity Manager REST WebServices component that was actively exploited in the wild and added to CISA’s Known Exploited Vulnerabilities catalog in November 2025. Oracle’s advisory for CVE-2026-21992 explicitly notes the out-of-band release timing is tied to the exploitation history of the component.

Oracle has not disclosed whether CVE-2026-21992 itself has been exploited in the wild, but the precedent from CVE-2025-61757 — same component, same attack surface — makes rapid patching non-negotiable. Threat actors already have institutional knowledge of this code path.

Attack Surface Exposure

Oracle Identity Manager is typically deployed in internal enterprise environments with some exposure to internal networks — but in many organizations, the OIM REST API is reachable from broad internal segments, from VPN-connected endpoints, or in some configurations, from the internet. A pentest pivot through any endpoint on the same network segment as OIM becomes significantly more powerful with CVE-2026-21992 available.

Unauthenticated pre-auth RCE vulnerabilities with CVSS 9.8 in authentication infrastructure are exactly what ransomware operators and nation-state actors prioritize for initial access and lateral movement. Expect exploit code to appear publicly within weeks if it hasn’t already.

What to Do

Patch immediately. Oracle’s out-of-band security alert patch was released March 20, 2026. Apply it before doing anything else. Patches are available through Oracle’s Fusion Middleware Patch Availability Document (KB878741) on My Oracle Support.

Affected versions requiring patching:

• Oracle Identity Manager 12.2.1.4.0
• Oracle Identity Manager 14.1.2.1.0
• Oracle Web Services Manager 12.2.1.4.0
• Oracle Web Services Manager 14.1.2.1.0

If patching immediately isn’t possible:

1. Network-layer restriction: Block access to the OIM REST WebServices port at the network perimeter and from broad internal segments. Access should be restricted to specific known-good source IPs and service accounts that legitimately call the API.

2. WAF rule deployment: If you have a WAF in front of OIM, deploy rules to restrict REST API access patterns. This is a mitigation, not a fix — WAF bypass is often possible.

3. Log review: Query your OIM application logs for unexpected REST API calls, particularly those arriving without authentication headers or from unusual source IPs. Given the precedent of active exploitation of CVE-2025-61757, look back 90 days for signs of prior intrusion in the same component.

4. Privileged access audit: After patching, audit recently created or modified accounts and role assignments in OIM and connected systems. If pre-patch exploitation occurred, the attacker’s foothold is likely in provisioned accounts, not persistent code on the host.

For Oracle Web Services Manager: Review what web service endpoints are exposed through OWSM and whether additional authentication controls can be layered in front of the Web Services Security component while the patch is staged.

Detection

Look for REST API requests to OIM endpoints that lack Authorization headers or session cookies, especially against endpoints related to provisioning, user management, or role assignment. HTTP 200 responses to unauthenticated requests to these paths are strong indicators of exploitation.

If your SIEM has Oracle Identity Manager logs, build an alert for successful REST API calls where the authenticated identity is null or absent.

Sources:

• Oracle Security Alert Advisory – CVE-2026-21992
• Oracle Patches Critical CVE-2026-21992 – The Hacker News
• Oracle Issues Emergency Fix for Pre-Auth RCE – Help Net Security
• CVE-2026-21992: Oracle Fusion Middleware RCE – Tenable
• CISA Known Exploited Vulnerabilities Catalog