Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability

Summary

Oracle issued out-of-band patches for CVE-2026-21992, a critical vulnerability (CVSS 9.8) affecting Oracle Identity Manager and Web Services Manager that allows unauthenticated remote code execution via HTTP. The flaw impacts the REST WebServices and Web Services Security components and may have been exploited in the wild, though Oracle has not explicitly confirmed active exploitation.

Full text

Oracle on Friday issued out-of-band updates to patch a critical vulnerability affecting its Identity Manager and Web Services Manager products. Oracle Identity Manager is an enterprise identity governance platform that automates user provisioning, deprovisioning, and access management across applications and systems. Oracle Web Services Manager is a policy-driven framework for managing and protecting web services. Oracle revealed that the products, part of the Fusion Middleware suite, are affected by CVE-2026-21992, a critical vulnerability that can be exploited by an unauthenticated attacker for remote code execution. According to Oracle’s advisory, the vulnerability has a CVSS score of 9.8 and it affects the REST WebServices component of Identity Manager and the Web Services Security component of Web Services Manager. “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager,” reads the description of CVE-2026-21992 in the National Vulnerability Database. “Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager.” Oracle’s Integrated Cyber Center has published a security alert to draw organizations’ attention to the patches, but the vendor has not clearly stated whether the flaw has been exploited in the wild. Advertisement. Scroll to continue reading. SecurityWeek has reached out to Oracle to find out whether the vulnerability has been leveraged in malicious attacks. It’s worth noting that it would not be the first time Oracle has released a patch for a zero-day without specifically telling customers that it has been exploited in the wild. In November 2025, the software giant informed customers about another critical pre-authentication remote code execution vulnerability in Identity Manager. The company did not mention exploitation, but others later confirmed that it had been exploited as a zero-day. Vulnerabilities in Oracle’s E-Business Suite (EBS) were recently exploited in a massive data theft campaign that affected more than 100 organizations. The attacks involved the exploitation of zero-days, but Oracle has not clearly specified which flaws the attackers used. Related: Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact Related: Michelin Confirms Data Breach Linked to Oracle EBS Attack Related: Oracle’s First 2026 CPU Delivers 337 New Security Patches Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Aisuru and Kimwolf DDoS Botnets Disrupted in International OperationMarquis Data Breach Affects 672,000 IndividualsCISA Warns of Attacks Exploiting Recent SharePoint VulnerabilityCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksIranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchUK Companies House Exposed Details of Millions of Firms Google, Meta, Microsoft Among Signatories of Pact to Combat Scams Latest News Critical Quest KACE Vulnerability Potentially Exploited in AttacksIn Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaEclypsium Raises $25 Million for Device Supply Chain SecurityUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesCape Raises $100 Million for Protection Against Cellular Security ThreatsNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement Campaign Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveeSentire has named James C. Foster as Chief Executive Officer.Green Impact Exchange has appointed John Visneski as Chief Information Security Officer.Kai has named Alfredo Hickman as Chief Information Security Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-21992