Skip to main content

Oracle Identity Manager CVE-2026-46810

| EUVDEUVD-2026-37328 MEDIUM
Improper Access Control (CWE-284)
2026-06-16 oracle
6.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network IIOP access with no authentication or interaction required, scope unchanged, and impact limited to partial data read and write with no availability disruption.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:26 vuln.today

DescriptionCVE.org

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: End User Self Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Identity Manager accessible data as well as unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

AnalysisAI

Unauthenticated network exploitation of Oracle Identity Manager's End User Self Service component via the IIOP protocol allows partial read and write access to identity data in versions 12.2.1.4.0 and 14.1.2.1.0. The authentication bypass tag alongside a PR:N CVSS vector confirms no credentials are required, making this accessible to any attacker who can reach the IIOP endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed IIOP port on Identity Manager server
Exploit
Send unauthenticated IIOP request to End User Self Service component
Execution
Authentication check bypassed by vulnerable component
Impact
Read subset of identity data or perform unauthorized insert/update/delete on identity records

Vulnerability AssessmentAI

Exploitation Exploitation requires direct network access to the IIOP endpoint exposed by Oracle Identity Manager's End User Self Service component, which operates over a non-HTTP protocol (IIOP/CORBA, typically TCP 3700 or a site-configured port). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N places this in the medium tier, but the signals present a nuanced picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on a network segment with access to the Oracle Identity Manager IIOP port sends crafted IIOP protocol requests directly to the End User Self Service component without providing valid credentials. Because the authentication bypass condition allows the requests to be processed, the attacker can enumerate or modify a subset of identity records - for example, reading user account metadata or inserting unauthorized entitlement assignments to a controlled account. …
Remediation Apply Oracle's Critical Patch Update for June 2026, available via the advisory at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses this vulnerability across the two confirmed affected releases (12.2.1.4.0 and 14.1.2.1.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-22956 CRITICAL POC
9.8 Apr 13

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth

CVE-2022-22954 CRITICAL POC
9.8 Apr 11

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side templa

CVE-2022-31660 HIGH POC
7.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rat

CVE-2022-22960 HIGH POC
7.8 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due t

CVE-2022-22957 HIGH POC
7.2 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities

CVE-2022-31656 CRITICAL POC
9.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2022-22972 CRITICAL POC
9.8 May 20

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2019-2729 CRITICAL POC
9.8 Jun 19

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Rated cr

CVE-2017-10151 CRITICAL
10.0 Oct 30

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Rate

CVE-2014-2880 MEDIUM POC
5.8 Apr 17

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.

CVE-2019-11358 MEDIUM POC
6.1 Apr 20

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus

CVE-2017-3553 CRITICAL
9.9 Apr 24

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine). Rated c

Share

CVE-2026-46810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy