Oracle critical patch fixes remote code execution vulnerability without authentication in Identity Manager and Web Services Manager CVE 2026 21992

Oracle has published an off-schedule patch to correct a critical failure that allows the remote code execution without authentication in two corporate components: Identity Manager and Web Services Manager. Vulnerability, recorded as CVE-2026-21992 and cataloged with CVSS score v3.1 of 9.8 it affects specific versions of both products and requires organisations to act quickly if any instance is accessible from the network.

Identity Manager is used to orchestrate identities and permissions in business environments, while Web Services Manager adds security policies and controls over web services. The combination of the critical nature of the failure and the role of these tools in the management of access and communications makes the potential impact high: an attacker who explores vulnerability could execute arbitrary code on exposed servers, compromising identities, integrity of services and possibly the rest of the infrastructure.

According to Oracle's official notice, vulnerability can be remotely exploited through HTTP, its complexity is low and does not require user interaction or credentials. The affected versions reported by Oracle are Identity Manager 12.2.1.4.0 and 14.1.2.1.0, as well as Web Services Manager 12.2.1.4.0 and 14.1.2.1.0. Oracle spread the patch by Security Alert program the mechanism used to provide corrections outside the usual cycle when the gravity or active operation so justifies.

The company insists that customers stay in versions with active support and apply updates or mitigation as soon as possible. It is important to stress that the corrections distributed by this program are usually available only for versions covered by Premier or Extended Support; the out-of-support editions can remain without patch and therefore vulnerable if no further action is taken.

Oracle has published both the security notice and a blog entry with the details of the problem and the instructions for parking. The technical notice is available on the Oracle site: Security Alert CVE-2026-21992 and the additional explanation in your log: Oracle post blog about alert. In addition, the CVE register provides a public summary in the MITRE catalogue: CVE-2026-21992 (MITRE) and its technical statement in the national vulnerability database: NVD - CVE-2026-21992.

Oracle has not publicly confirmed whether this vulnerability has been exploited in actual attacks to date. In the meantime, the official recommendation and the usual security practice agree on a clear priority: install the patch in the affected environments following the corresponding tests and minimize public exposure. For those unable to update immediately, reasonable interim measures include restricting access to the ports and services affected by firewalls, applying network-level access control rules and reviewing whether the exposed components are accessible from the Internet.

In the area of detection and response, it is appropriate to review the access and execution records in the instances of Identity Manager and Web Services Manager, to look for unusual behavior signals that may indicate a operation and to quickly isolate any suspicious server. It is also recommended to coordinate with identity and security teams, and to prepare recovery plans that include restoration from clean copies if commitment is detected. The rapid response reduces the opportunity window of the attackers and limits side movements within the network.

For IT equipment and safety officers managing infrastructure in which these products are used, the workload of patches may be high, but the alternative of leaving critical services without protection against a vulnerability of High risk It's not acceptable. Testing patches in test environments, planning maintenance windows and transparently communicating the application schedule to affected areas will help reduce friction and accelerate mitigation.

In broader terms, this incident recalls two essential lessons: on the one hand, that the components that manage identities and the traffic of services are privileged objectives for the attackers; on the other, that maintaining platforms in active support versions and a rigorous patch program remains the most effective defense against critical failures. If your organization uses Oracle Identity Manager or Web Services Manager, check the versions in use as soon as possible, check the Oracle notice and plan the application of the patch following the official guides.

Additional sources and readings: Oracle's technical notice of this vulnerability is available on your safety site ( Security Alert CVE-2026-21992), the explanation on the Oracle blog offers operational context ( Oracle Security Blog), and the public records of the EQO are available in MITRE and NVD ( MITRE, NVD).