Skip to main content

Oracle Identity Manager CVE-2026-35265

| EUVDEUVD-2026-37397 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable HTTP endpoint (AV:N), no described preconditions (AC:L), requires a low-privileged authenticated OIM account (PR:L), no user interaction, and full takeover yields C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:17 vuln.today

DescriptionCVE.org

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker with HTTP access to fully compromise the Identity Manager component of Oracle Fusion Middleware. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation results in takeover of the identity governance platform itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged OIM credentials
Delivery
Reach Identity Manager HTTP endpoint
Exploit
Send crafted request to vulnerable Security component
Execution
Escalate to OIM administrator
Persist
Provision privileged identities via connectors
Impact
Pivot into downstream integrated systems

Vulnerability AssessmentAI

Exploitation The attacker must (1) have network HTTP/HTTPS reachability to an Oracle Identity Manager 12.2.1.4.0 or 14.1.2.1.0 deployment, and (2) hold valid credentials for any low-privileged account on that Identity Manager instance (PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) signals a high-priority issue: network-reachable, low complexity, no user interaction, only a low-privileged account required, and full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged Identity Manager account - for example via phishing a help-desk or self-service portal user, or by abusing a default/test account - authenticates to the OIM HTTP interface over the network and issues a crafted request to a vulnerable endpoint to escalate to full administrative control of Identity Manager. From that position the attacker creates a privileged identity, assigns themselves enterprise-wide entitlements through OIM's downstream connectors, and pivots into integrated systems (Active Directory, databases, SaaS apps). …
Remediation Apply the patches delivered in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Oracle's CPU is the only sanctioned fix path for Fusion Middleware components. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Oracle Identity Manager instances and confirm versions (12.2.1.4.0 and 14.1.2.1.0); document network accessibility and authentication requirements. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-22956 CRITICAL POC
9.8 Apr 13

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth

CVE-2022-22954 CRITICAL POC
9.8 Apr 11

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side templa

CVE-2022-31660 HIGH POC
7.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rat

CVE-2022-22960 HIGH POC
7.8 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due t

CVE-2022-22957 HIGH POC
7.2 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities

CVE-2022-31656 CRITICAL POC
9.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2022-22972 CRITICAL POC
9.8 May 20

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2019-2729 CRITICAL POC
9.8 Jun 19

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Rated cr

CVE-2017-10151 CRITICAL
10.0 Oct 30

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Rate

CVE-2014-2880 MEDIUM POC
5.8 Apr 17

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.

CVE-2019-11358 MEDIUM POC
6.1 Apr 20

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus

CVE-2017-3553 CRITICAL
9.9 Apr 24

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine). Rated c

Share

CVE-2026-35265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy