Update: Added that Oracle declined to comment on whether the vulnerability has been exploited.
Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992.
Oracle Identity Manager is used for managing identities and access across an enterprise, while Oracle Web Services Manager provides security and management controls for web services.
In an advisory released yesterday, Oracle is “strongly” recommending that customers apply the patches as soon as possible.
“This Security Alert addresses vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution,” reads the security advisory.
“Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.”
The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Oracle says the flaw is of low complexity, remotely exploitable over HTTP, and does not require authentication or user interaction, increasing the risk of exploitation on exposed servers.
The fix was released through its Security Alert program, which delivers out-of-schedule fixes or mitigations for critical or actively exploited vulnerabilities. However, Oracle says that patches released through these programs are only offered for versions under Premier or Extended Support, and older unsupported versions may be vulnerable.
Oracle has not disclosed whether the vulnerability has been exploited and declined to comment when BleepingComputer asked about its exploitation status.
In a separate blog post published today, Oracle once again noted the severity of CVE-2026-21992 and warned customers to review the security alert for full details and patch information.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
