Executive Summary
CVE-2026-21992 is a critical, unauthenticated remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager (CVSS 9.8). Classified as a Missing Authentication for Critical Function flaw (CWE-306), it allows any attacker with HTTP network access to execute arbitrary code on the target server — no credentials required. Oracle issued an emergency out-of-band patch in March 2026; organizations running affected versions should treat this as an immediate remediation priority.
1. What Is This Vulnerability?
CVE-2026-21992 stems from an absence of proper authentication controls in two critical components:
- Oracle Identity Manager (OIM): the flaw is in the REST WebServices component, which exposes administrative and identity management endpoints over HTTP.
- Oracle Web Services Manager (OWSM): the flaw is in the Web Services Security module, which governs policy enforcement for web service calls.
In both cases, a sensitive function path reachable over the network fails to verify that the caller is authenticated before processing the request. Because the function operates with the privileges of the application server process, a successful exploit yields code execution in that context — typically as the Oracle middleware account, which commonly has broad filesystem and database access.
CWE Classification: CWE-306 — Missing Authentication for Critical Function
Attack Vector
An attacker sends a crafted HTTP request directly to an exposed REST endpoint (or SOAP service endpoint in OWSM) on the vulnerable Oracle Fusion Middleware server. Because no authentication check is enforced, the server processes the malicious payload, which can include a serialized Java object, a server-side template injection payload, or a command-injection string depending on the specific endpoint targeted.
Example conceptual exploit flow:
# Attacker sends unauthenticated POST to vulnerable REST endpoint
POST /iam/governance/selfservice/api/v1/<vulnerable-function> HTTP/1.1
Host: target-oim-server:14000
Content-Type: application/json
{
"payload": "<malicious_serialized_object_or_command>"
}
# Server processes payload without authentication, executes attacker-controlled code
The attack requires no user interaction, no privileges, and works over standard HTTP — making it straightforward to automate and script at scale.
Real-World Impact
While Oracle confirmed no active exploitation at the time of the emergency patch release, the vulnerability's characteristics (pre-auth, low complexity, network-accessible) make it a high-value target for ransomware operators and espionage actors. Oracle Identity Manager is the authoritative identity governance platform in many enterprises — a full compromise gives attackers control over user provisioning, entitlements, and access to every connected system. In environments where OIM manages privileged access, this is effectively a master key to the organization.
2. Who Is Affected?
| Product | Affected Versions |
|---|---|
| Oracle Identity Manager | 12.2.1.4.0 |
| Oracle Identity Manager | 14.1.2.1.0 |
| Oracle Web Services Manager | 12.2.1.4.0 |
| Oracle Web Services Manager | 14.1.2.1.0 |
Exposure conditions:
- Any OIM or OWSM installation reachable over HTTP/HTTPS from an attacker — including internet-facing deployments and internally networked instances accessible from a compromised host.
- Default port ranges: OIM typically runs on ports 14000 (HTTP) and 14001 (HTTPS); OWSM on ports shared with the WebLogic admin or managed server.
- Cloud-hosted Oracle Fusion Middleware deployments where Oracle manages patching may receive the fix automatically — verify with Oracle support.
Not affected:
- Oracle Identity Cloud Service (IDCS) / OCI IAM (SaaS — patched by Oracle directly)
- Versions outside 12.2.1.4.0 and 14.1.2.1.0
3. How to Detect It (Testing)
Manual Testing Steps
-
Identify the OIM/OWSM server and accessible endpoints. Enumerate open ports 14000, 14001, 7001, 7002 on suspected Oracle Fusion Middleware hosts. Check for
/iam/,/oim/,/wsm-pm/URI prefixes. -
Attempt unauthenticated access to a protected REST endpoint. Send a GET or POST request to a known administrative REST path without any
Authorizationheader or session cookie:curl -k -X GET https://<oim-host>:14001/iam/governance/selfservice/api/v1/users \ -H "Content-Type: application/json"A 200 OK or non-401/403 response to an endpoint that should require authentication is a strong indicator of the vulnerability.
-
Check server response headers and body. If the server returns data (user lists, configuration, or internal error stack traces) without authentication, the endpoint is misconfigured or vulnerable.
-
Review OWSM policy attachment. Log into the WebLogic Administration Console and confirm that authentication policies are attached to all web service endpoints under WSM → Policies.
Automated Scanning
Tool: Tenable Nessus / Tenable.io
- Plugin ID(s) specific to CVE-2026-21992 were released following Oracle's advisory.
- Run a credentialed or uncredentialed scan targeting OIM/OWSM hosts.
- Expected output: "CVE-2026-21992 — Oracle Identity Manager Unauthenticated RCE" finding at Critical severity.
Tool: Nuclei (ProjectDiscovery)
- Check the Nuclei templates repository for a CVE-2026-21992 template.
- Command:
nuclei -u https://<oim-host>:14001 -t cves/2026/CVE-2026-21992.yaml -v - Expected output:
[CVE-2026-21992] [critical] [http] https://<oim-host>:14001/...
Tool: Burp Suite Pro
- Use the "Active Scan" feature on the OIM base URL.
- Add the REST endpoint paths to scope.
- Look for unauthenticated responses (HTTP 200 on endpoints that should return HTTP 401).
Code Review Checklist
- Confirm all REST controllers in OIM custom extensions require
@Securedor equivalent authentication annotation - Verify OWSM security policies are attached (not detached) to every web service endpoint
- Check WebLogic security realm configuration — confirm
Identity Asserteris active - Review custom REST filters — ensure no
permitAll()or authentication bypass is present for admin-class paths - Confirm
/iam/governance/and/wsm-pm/paths are not exposed directly to the public internet without a WAF or API gateway in front
4. How to Fix It (Mitigation)
Step-by-Step Remediation
-
Download the emergency patch from Oracle Security Alert CVE-2026-21992. Log into Oracle Support (My Oracle Support) and search for patch IDs referenced in the advisory.
-
Apply the patch to all affected OIM instances (12.2.1.4.0 and 14.1.2.1.0):
# Stop OIM managed server $DOMAIN_HOME/bin/stopManagedWebLogic.sh oim_server1 # Apply patch using OPatch cd $ORACLE_HOME ./OPatch/opatch apply /path/to/patch_directory # Verify patch application ./OPatch/opatch lspatches | grep <patch_number> -
Apply the patch to all affected OWSM instances using the same OPatch process, targeting the OWSM Oracle Home.
-
Restart all affected managed servers and the AdminServer:
$DOMAIN_HOME/bin/startManagedWebLogic.sh oim_server1 $DOMAIN_HOME/bin/startManagedWebLogic.sh soa_server1 -
Verify the patch is active by re-running the unauthenticated endpoint test from Step 3 (manual testing). The endpoint should now return HTTP 401 Unauthorized.
-
If immediate patching is not possible, apply the following network-level mitigations as a temporary measure (these do NOT eliminate the vulnerability — they reduce exposure):
- Block all external access to OIM/OWSM ports (14000, 14001, 7001, 7002) at the network perimeter.
- Restrict access to these ports to known IP ranges (jump hosts, admin workstations) using firewall ACLs.
- Deploy a WAF rule to block unauthenticated requests to the
/iam/governance/and/wsm-pm/URI prefixes.
Code Fix Example
The root cause is missing authentication enforcement on a critical REST endpoint. If you have custom OIM extensions or extensions built on the affected API:
Before (vulnerable — no authentication check):
@Path("/selfservice/api/v1/admin")
public class AdminResource {
@GET
@Path("/users")
@Produces(MediaType.APPLICATION_JSON)
public Response getAllUsers() {
// No authentication check — processes any request
List<User> users = userService.getAll();
return Response.ok(users).build();
}
}
After (patched — authentication enforced):
@Path("/selfservice/api/v1/admin")
@SecurityRequirement(name = "bearerAuth")
public class AdminResource {
@GET
@Path("/users")
@Produces(MediaType.APPLICATION_JSON)
@RolesAllowed({"OIM_ADMIN", "SYSTEM_ADMIN"})
public Response getAllUsers(@Context SecurityContext sc) {
if (sc.getUserPrincipal() == null) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
List<User> users = userService.getAll();
return Response.ok(users).build();
}
}
Configuration Hardening
After patching, apply these configuration-level controls:
- Enforce HTTPS only: Disable HTTP on OIM/OWSM ports; require TLS 1.2+ for all connections.
- Attach OWSM security policies: In the WebLogic console, navigate to each web service endpoint and ensure a
wss_http_token_service_policyor stronger policy is attached. - Enable WebLogic audit logging: Capture all authentication attempts and failures.
- Network segmentation: Place OIM/OWSM servers in a dedicated DMZ segment accessible only from application servers and admin jump hosts.
5. How to Test the Fix (Validation)
Regression Test Scenarios
- Scenario A: Confirm the patch is correctly installed and OPatch reports it as applied.
- Scenario B: Confirm unauthenticated requests to previously vulnerable endpoints now return HTTP 401.
- Scenario C: Confirm authenticated administrative users can still successfully perform identity management operations (no functionality regression).
- Scenario D: Confirm OWSM policy enforcement is active — unauthenticated SOAP calls return a security fault.
Security Test Cases
Test Case 1: Verify vulnerability no longer exists
- Precondition: Patch applied and OIM server restarted
- Steps: Send unauthenticated HTTP GET to
/iam/governance/selfservice/api/v1/userswithout any Authorization header - Expected Result: Server returns
HTTP/1.1 401 Unauthorizedwith an authentication challenge
Test Case 2: Confirm authenticated access still works
- Precondition: Patch applied; valid OIM admin credentials available
- Steps: Send authenticated HTTP GET to the same endpoint with a valid Bearer token
- Expected Result: Server returns
HTTP/1.1 200 OKwith user list data — no regression
Test Case 3: OWSM policy enforcement
- Precondition: OWSM patch applied and security policies attached
- Steps: Send a SOAP request without WS-Security headers to a protected OWSM endpoint
- Expected Result: Server returns a SOAP fault:
Authentication FailedorPolicy Violated
Automated Tests
import requests
import pytest
OIM_BASE = "https://your-oim-host:14001"
def test_unauthenticated_request_rejected():
"""CVE-2026-21992: Unauthenticated endpoint access must be blocked after patch."""
resp = requests.get(
f"{OIM_BASE}/iam/governance/selfservice/api/v1/users",
headers={"Content-Type": "application/json"},
verify=False, # adjust for your cert setup
timeout=10
)
assert resp.status_code == 401, (
f"Expected 401 Unauthorized, got {resp.status_code}. "
"Possible CVE-2026-21992 still present!"
)
def test_authenticated_request_succeeds(oim_token):
"""Authenticated access should work normally post-patch (regression check)."""
resp = requests.get(
f"{OIM_BASE}/iam/governance/selfservice/api/v1/users",
headers={
"Content-Type": "application/json",
"Authorization": f"Bearer {oim_token}"
},
verify=False,
timeout=10
)
assert resp.status_code == 200, f"Authenticated request failed: {resp.status_code}"
6. Prevention & Hardening
Best Practices
- Patch on Oracle's regular CPU cycle AND monitor for out-of-band alerts. CVE-2026-21992 was patched outside Oracle's quarterly Critical Patch Update — sign up for Oracle Security Alerts at oracle.com/security-alerts to receive immediate notification.
- Never expose Oracle Fusion Middleware admin interfaces directly to the internet. OIM and OWSM administrative endpoints should be accessible only through an authenticated reverse proxy or VPN.
- Apply least-privilege to Oracle application server accounts. The process account running OIM/OWSM should have only the permissions it needs — not
root,DBA, or domain admin. - Use an API Gateway or WAF in front of OIM REST APIs. Enforce authentication at the gateway layer as a defense-in-depth measure, independent of application-level controls.
- Conduct regular authenticated and unauthenticated scans of Oracle Fusion Middleware assets using Tenable, Qualys, or Rapid7 with Oracle-specific plugins enabled.
Monitoring & Detection
Even with the patch applied, implement detection for exploitation attempts:
- WAF/IDS Rule: Alert on unauthenticated HTTP requests to
/iam/governance/,/oim/, and/wsm-pm/paths from unexpected source IPs. - WebLogic Server Log: Monitor
$DOMAIN_HOME/servers/*/logs/*.logfor authentication failure events — a spike in 401s may indicate active scanning. - SIEM Correlation: Correlate OIM audit logs (identity provisioning events executed without a corresponding authenticated session) to detect if exploitation occurred before patching.
- Network Flow Analysis: Unusual HTTP POSTs from unexpected source IPs to OIM service ports are a red flag.
Example Splunk query for detection:
index=weblogic sourcetype=oracle_oim_access
uri="/iam/governance/selfservice/api/*"
status!=401 status!=403
user="-" OR user="" OR user="anonymous"
| stats count by src_ip, uri, status
| where count > 5
References
- CVE Entry: NVD — CVE-2026-21992
- Oracle Security Alert: Oracle Security Alert Advisory — CVE-2026-21992
- Oracle Blog Post: Security Alert CVE-2026-21992 Released — Oracle Security Blog
- Tenable Analysis: CVE-2026-21992: Critical Out-of-Band Oracle Identity Manager RCE — Tenable
- BleepingComputer: Oracle pushes emergency fix for critical Identity Manager RCE flaw
- The Hacker News: Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager
- Security Affairs: Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager
- Help Net Security: Oracle issues emergency fix for pre-auth RCE in Identity Manager