Threat Intelligence / CVE / CVE-2026-21992

CVE-2026-21992

CVSS 9.8 (CRITICAL) · EPSS 0.1%

Critical remote code execution vulnerability in Oracle Fusion Middleware affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw enables unauthenticated remote attackers with network access via HTTP to achieve complete system compromise due to missing authentication for critical functions in the REST WebServices component.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-306

Threats tracking this CVE

Oracle Identity Manager & Web Services Manager Unauthenticated RCE (CVE-2026-21992, CVSS 9.8) — Critical System Takeover via HTTP — CRITICAL

Full detection coverage & IOCs for threats exploiting CVE-2026-21992 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence