CVE-2026-21992

Oracle has released an out-of-band emergency patch for CVE-2026-21992 — a critical CVSS 9.8 unauthenticated RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0. No credentials required. Exploit over HTTP. Patch immediately via KB878741.

Severity

critical

CVSS Score

9.5 / 10

Published

Mar 21, 2026

Affected Products

›Oracle Identity Manager 12.2.1.4.0 — REST WebServices component
›Oracle Identity Manager 14.1.2.1.0 — REST WebServices component
›Oracle Web Services Manager 12.2.1.4.0 — Web Services Security component
›Oracle Web Services Manager 14.1.2.1.0 — Web Services Security component
›Older unsupported versions — not tested but likely affected per Oracle warning

Full Analysis

CVE-2026-21992: Oracle Issues Emergency Patch for Critical Unauthenticated RCE in Identity Manager and Web Services Manager

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles