Am I affected by CVE-2026-21992?

Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0. Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.

How do I fix CVE-2026-21992?

Apply the out-of-band Security Alert patch from Oracle immediately. Only available for versions under Premier or Extended Support.

Oracle emergency patch for pre-auth RCE in Identity Manager and Web Services Manager (CVE-2026-21992)

vulnerability

CVE-2026-21992

2026-03-23

Oracle emergency patch for pre-auth RCE in Identity Manager and Web Services Manager (CVE-2026-21992)

Oracle broke its quarterly patch cycle to push an emergency fix for CVE-2026-21992 - a CVSS 9.8 pre-auth RCE in Oracle Identity Manager and Web Services Manager. An unauthenticated attacker with network access over HTTP can take over the entire identity management system. Oracle won't say if it's been exploited, but a nearly identical flaw in the same product (CVE-2025-61757) was added to CISA's KEV catalog just four months ago.

Check: Check if you run Oracle Identity Manager or Oracle Web Services Manager.
Affected: Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0. Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
Fix: Apply the out-of-band Security Alert patch from Oracle immediately. Only available for versions under Premier or Extended Support.