Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network IIOP access with no authentication or interaction required, scope unchanged, and impact limited to partial data read and write with no availability disruption.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: End User Self Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Identity Manager accessible data as well as unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
AnalysisAI
Unauthenticated network exploitation of Oracle Identity Manager's End User Self Service component via the IIOP protocol allows partial read and write access to identity data in versions 12.2.1.4.0 and 14.1.2.1.0. The authentication bypass tag alongside a PR:N CVSS vector confirms no credentials are required, making this accessible to any attacker who can reach the IIOP endpoint. No public exploit or active exploitation has been identified at time of analysis, but the sensitivity of identity governance data elevates the practical risk beyond the moderate CVSS score alone.
Technical ContextAI
Oracle Identity Manager is an enterprise identity governance and provisioning platform within the Oracle Fusion Middleware stack, responsible for managing user lifecycle, roles, and entitlements across enterprise systems. The vulnerable component is the End User Self Service module, which handles self-service identity operations such as password resets and profile management. The attack vector is IIOP (Internet Inter-ORB Protocol), the network layer of CORBA (Common Object Request Broker Architecture), a legacy distributed computing protocol deeply embedded in Java EE and Oracle Application Server environments. IIOP endpoints are typically bound to high-numbered ports (e.g., TCP 3700 in WebLogic) and are not HTTP-based. The 'Authentication Bypass' tag combined with the PR:N metric in the CVSS vector indicates the IIOP interface in the End User Self Service component fails to enforce authentication checks prior to processing requests. No CWE is formally assigned, but the condition aligns broadly with CWE-306 (Missing Authentication for Critical Function) or CWE-862 (Missing Authorization). The CPE is cpe:2.3:a:oracle_corporation:identity_manager:*:*:*:*:*:*:*:*.
RemediationAI
Apply Oracle's Critical Patch Update for June 2026, available via the advisory at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses this vulnerability across the two confirmed affected releases (12.2.1.4.0 and 14.1.2.1.0). An exact patched release version number is not independently confirmed from the available data beyond the CPU advisory reference - consult the Oracle CPU table directly for the specific patch artifact. As a compensating control prior to patch application, restrict network access to the IIOP port (commonly TCP 3700 in WebLogic Server, or as configured in the local Oracle Application Server environment) using firewall rules or network ACLs, limiting reachability to trusted internal hosts only. This reduces the attack surface to internal threat actors but does not eliminate risk from insider threats or compromised internal hosts, and should be treated strictly as a temporary measure. If the End User Self Service component is not actively used, consider disabling or decommissioning it at the application server level to further reduce exposure, acknowledging that this may affect identity self-service workflows for end users.
More in Identity Manager
View allVMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side templa
VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rat
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due t
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Rated cr
Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Rate
Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus
Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine). Rated c
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37328