Oracle emergency patch for pre-auth RCE in Identity Manager and Web Services Manager (CVE-2026-21992)

Oracle broke its quarterly patch cycle to push an emergency fix for CVE-2026-21992 - a CVSS 9.8 pre-auth RCE in Oracle Identity Manager and Web Services Manager. An unauthenticated attacker with network access over HTTP can take over the entire identity management system. Oracle won't say if it's been exploited, but a nearly identical flaw in the same product (CVE-2025-61757) was added to CISA's KEV catalog just four months ago.

Check

Check if you run Oracle Identity Manager or Oracle Web Services Manager.

Affected

Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0. Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.

Fix

Apply the out-of-band Security Alert patch from Oracle immediately. Only available for versions under Premier or Extended Support.