Oracle Corporation has released urgent security updates to address a severe vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw, tracked as CVE-2026-21992, allows unauthenticated attackers to execute arbitrary code remotely, making it a high-risk security issue.
Severity and Impact
This vulnerability has been assigned a CVSS score of 9.8 out of 10, indicating critical severity. According to Oracle, the flaw can be exploited without authentication, meaning an attacker does not need valid credentials to take control of affected systems.
Successful exploitation could allow attackers to:
- Execute remote commands on targeted systems
- Gain full control of affected environments
- Compromise sensitive enterprise data
Affected Products and Versions
The vulnerability impacts the following versions:
- Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0
- Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
Technical Details
The flaw is described in the National Institute of Standards and Technology (NVD) as easily exploitable. An attacker with network access via HTTP could compromise vulnerable systems, potentially leading to full system takeover.
Although Oracle has not confirmed active exploitation in the wild, the risk remains extremely high due to the nature of the vulnerability.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.


