Oracle Issues Emergency Fix for Pre-Auth Remote Code Execution Vulnerability in Identity Manager (CVE-2026-21992)

Vaibhav March 23, 2026
Oracle-Issues-Emergency-Fix-for-Pre-Auth-Remote-Code-Execution-Vulnerability-in-Identity-Manager-CVE-2026-21992-
Post Views: 89

Oracle Issues Urgent Fix for Pre-Authentication Remote Code Execution Flaw in Identity Manager Software

On March 23, 2026, Oracle released an out-of-band patch to address a critical vulnerability identified as CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager.

Vulnerability Details

  • The vulnerability allows unauthenticated attackers to execute arbitrary code remotely, compromising the integrity of these software applications.
  • The flaw stems from a lack of authentication for a critical function within the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager.
  • Attackers exploiting this vulnerability can leverage HTTP and HTTPS protocols without requiring any user interaction, making it particularly concerning for organizations utilizing these solutions.

Affected Versions

  • CVE-2026-21992 affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager and Oracle Web Services Manager, respectively.
  • Oracle advises upgrading to supported versions to mitigate this risk, noting that earlier, now unsupported versions may also be vulnerable.
According to Oracle, “Organizations relying on Oracle Identity Manager and Oracle Web Services Manager are strongly advised to apply the recent patches or implement mitigation strategies as soon as possible to prevent potential exploitation of this critical vulnerability.”

Previous Similar Vulnerability

  • A similar vulnerability, CVE-2025-61757, was previously reported in November 2025 and was discovered to stem from the same issue of missing authentication for a critical function.
  • This vulnerability was also patched by Oracle in October 2025 following reports from Assetnote/Searchlight Cyber researchers who had published a detailed technical write-up about the issue prior to its inclusion in the CISA’s Known Exploited Vulnerabilities catalog.


Blog Image

About Author

Vaibhav

See author's posts

More Stories

FortiSandbox-Security-Patch-Released-by-Fortinet-Fixes-Critical-Vulnerability

FortiSandbox Security Patch Released by Fortinet, Fixes Critical Vulnerability

Vaibhav April 15, 2026
EU-Mandates-Coordinated-Vulnerability-Disclosure-A-Cultural-Shift-Ahead

EU Mandates Coordinated Vulnerability Disclosure: A Cultural Shift Ahead

Vaibhav April 15, 2026
Global-Vulnerability-Alert-Sophisticated-Adobe-Reader-Exploit-Identified

Global Vulnerability Alert: Sophisticated Adobe Reader Exploit Identified

Vaibhav April 11, 2026

Latest Cyber Security News

Not-All-CISO-Roles-Are-Equally-Demanding-and-Challenging-Insights-from-ESET-Mimecast-at-RSAC

Not All CISO Roles Are Equally Demanding and Challenging: Insights from ESET, Mimecast at RSAC

Vaibhav April 15, 2026
Sitehops-SAFEcore-Edge-Offers-Ultra-Low-Latency-Post-Quantum-Encryption-Solutions

Sitehops SAFEcore Edge Offers Ultra-Low Latency Post Quantum Encryption Solutions

Vaibhav April 15, 2026
IPL-Ticket-Scam-Woman-Loses-52-500-Using-Fake-QR-Codes-in-Bengaluru

IPL Ticket Scam: Woman Loses ₹52,500 Using Fake QR Codes in Bengaluru

Vaibhav April 15, 2026
India-s-Largest-Cryptocurrency-Scandal-Worth-17-000-Crore

India’s Largest Cryptocurrency Scandal Worth ₹17,000 Crore

Vaibhav April 15, 2026
Microsoft-Resolves-Critical-Bug-Affecting-Automatic-Windows-Server-2025-Updates

Microsoft Resolves Critical Bug Affecting Automatic Windows Server 2025 Updates

Vaibhav April 15, 2026
en_USEnglish
en_USEnglish