Skip to main content

Oracle Identity Manager EUVDEUVD-2026-37398

| CVE-2026-35267 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

REST endpoint is network-reachable (AV:N) with low complexity; any provisioned IdM user suffices (PR:L); no interaction; takeover yields full CIA impact within IdM (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:18 vuln.today

DescriptionCVE.org

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the Identity Manager instance via its REST WebServices component over HTTP. Oracle rates the flaw CVSS 8.8 with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity lifecycle and provisioning, successful exploitation has cascading impact across downstream applications it manages.

Technical ContextAI

Oracle Identity Manager is the identity governance and provisioning component of Oracle Fusion Middleware, exposing a REST WebServices interface (typically deployed on Oracle WebLogic Server) for self-service, delegated administration, and integration with downstream connectors. The vulnerable surface is this REST tier, where authenticated requests are processed against Identity Manager's privileged backend (user, role, and entitlement stores). No CWE is published with this advisory, but Oracle Critical Patch Updates historically attribute REST WebServices takeover bugs in Fusion Middleware to authorization/authentication-bypass or unsafe deserialization patterns; the CPE confirms scope is limited to the Identity Manager product itself (cpe:2.3:a:oracle_corporation:identity_manager) rather than the broader WebLogic container.

RemediationAI

Apply the Oracle Critical Patch Update of June 2026 for Fusion Middleware / Identity Manager as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory; exact patched release identifier not enumerated in the provided data, so administrators should pull the IdM bundle patch referenced for 12.2.1.4.0 and 14.1.2.1.0 from My Oracle Support. Until the CPU can be deployed, restrict network reachability of the Identity Manager REST WebServices endpoints (commonly under /iam/governance/ and /identity/) to trusted management networks via a reverse proxy or WebLogic network channel ACL, and tighten role assignments so that ordinary self-service users cannot reach administrative REST resources; the trade-off is broken self-service password reset and delegated admin flows for users outside the trust zone. Increase audit logging on REST WebServices and monitor for anomalous privilege escalation or role assignment events as a compensating detective control.

CVE-2022-22956 CRITICAL POC
9.8 Apr 13

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth

CVE-2022-22954 CRITICAL POC
9.8 Apr 11

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side templa

CVE-2022-31660 HIGH POC
7.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rat

CVE-2022-22960 HIGH POC
7.8 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due t

CVE-2022-22957 HIGH POC
7.2 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities

CVE-2022-31656 CRITICAL POC
9.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2022-22972 CRITICAL POC
9.8 May 20

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2019-2729 CRITICAL POC
9.8 Jun 19

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Rated cr

CVE-2017-10151 CRITICAL
10.0 Oct 30

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Rate

CVE-2014-2880 MEDIUM POC
5.8 Apr 17

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.

CVE-2019-11358 MEDIUM POC
6.1 Apr 20

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus

CVE-2017-3553 CRITICAL
9.9 Apr 24

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine). Rated c

Share

EUVD-2026-37398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy