CVE-2026-21992 — AI Deep Analysis Summary

🚨 **Essence**: Oracle Identity Manager (OIM) & Web Services Manager have a critical security flaw. Attackers can access via HTTP without validation. 💥 **Consequences**: High risk of full system compromise.…

🛡️ **Root Cause**: The description cites "unvalidated attacker access via HTTP." While CWE is null, this implies a **Broken Access Control** or **Insufficient Input Validation** flaw.…

📦 **Affected Versions**: - Oracle Identity Manager: v12.2.1.4.0 & v14.1.2.1.0 - Oracle Web Services Manager: v12.2.1.4.0 & v14.1.2.1.0 🏢 **Vendor**: Oracle Corporation

🔓 **Attacker Capabilities**: - **Confidentiality (H)**: Steal sensitive identity data. - **Integrity (H)**: Modify user accounts or policies. - **Availability (H)**: Disrupt identity services. Basically, **Full Control*…

⚡ **Exploitation Threshold**: **LOW**. - **Network**: Remote (AV:N) - **Complexity**: Low (AC:L) - **Privileges**: None required (PR:N) - **User Interaction**: None (UI:N) Hackers can exploit this remotely without any l…

🕵️ **Public Exploit**: **No**. The `pocs` field is empty. There is no known public Proof-of-Concept (PoC) or wild exploitation code available yet.…

🔍 **Self-Check**: 1. Scan for Oracle Identity Manager versions **12.2.1.4.0** and **14.1.2.1.0**. 2. Check if Oracle Web Services Manager is running on the same versions. 3.…

🩹 **Official Fix**: **Yes**. Oracle released an advisory on **2026-03-20**. Check the official Oracle Security Alerts page for patches or interim fixes.…

🚧 **No Patch Workaround**: - **Network Segmentation**: Block external HTTP access to OIM/Web Services Manager ports immediately. - **WAF Rules**: Implement strict input validation and access control rules at the firewal…

🔥 **Urgency**: **CRITICAL**. CVSS Score is **9.1** (High). Remote, unauthenticated, and high impact. Patch immediately or apply network restrictions. Do not wait for public exploits to appear.