Skip to main content

Oracle Identity Manager EUVDEUVD-2026-37399

| CVE-2026-35268 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

T3/IIOP is network-reachable (AV:N) with low complexity (AC:L); a valid low-priv IdM account is required (PR:L); scope change to WebLogic domain (S:C) with full takeover (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:18 vuln.today

DescriptionCVE.org

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Identity Manager. While the vulnerability is in Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 (Fusion Middleware Core component) allows a low-privileged remote attacker to fully compromise the product via T3 or IIOP protocols, with scope change extending impact to other Fusion Middleware components. The CVSS 9.9 score reflects high confidentiality, integrity, and availability impact combined with low attack complexity. No public exploit identified at time of analysis, but Identity Manager's role as a central identity authority makes this a critical patching priority.

Technical ContextAI

Oracle Identity Manager is the identity governance and provisioning component of Oracle Fusion Middleware, responsible for managing user accounts, roles, and access entitlements across enterprise applications. The affected attack surface is the T3 (Oracle WebLogic's proprietary RMI protocol) and IIOP (CORBA's Internet Inter-ORB Protocol) listeners, which historically have been the vector for numerous WebLogic deserialization and remote code execution flaws. The CPE 'cpe:2.3:a:oracle_corporation:identity_manager' confirms the Identity Manager product itself, but the scope change (S:C) in the CVSS vector signals that exploitation crosses authorization boundaries - typical of WebLogic-hosted Java EE applications where compromising one deployed component yields control over the underlying server and adjacent applications. No CWE was assigned by Oracle, which is consistent with Oracle's standard CPU advisory practice of withholding root-cause detail.

RemediationAI

Apply the patches distributed in the Oracle Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html - Oracle CPU patches are the authoritative fix for both 12.2.1.4.0 and 14.1.2.1.0 branches; exact patch IDs are listed in the CPU patch matrix. Until the CPU can be staged through change management, restrict network reachability of the T3 and IIOP listeners by configuring WebLogic Connection Filters (weblogic.security.net.ConnectionFilterImpl) to allow only trusted management subnets, and front the Identity Manager HTTP endpoints with an authenticating reverse proxy; note that filtering T3/IIOP may break legitimate inter-domain RMI calls and JMS clients, so test in a non-production domain first. Rotate any low-privilege Identity Manager credentials that may have been exposed, since PR:L means a single leaked account is sufficient for exploitation.

CVE-2022-22956 CRITICAL POC
9.8 Apr 13

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth

CVE-2022-22954 CRITICAL POC
9.8 Apr 11

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side templa

CVE-2022-31660 HIGH POC
7.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rat

CVE-2022-22960 HIGH POC
7.8 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due t

CVE-2022-22957 HIGH POC
7.2 Apr 13

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities

CVE-2022-31656 CRITICAL POC
9.8 Aug 05

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2022-22972 CRITICAL POC
9.8 May 20

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability aff

CVE-2019-2729 CRITICAL POC
9.8 Jun 19

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Rated cr

CVE-2017-10151 CRITICAL
10.0 Oct 30

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Rate

CVE-2014-2880 MEDIUM POC
5.8 Apr 17

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.

CVE-2019-11358 MEDIUM POC
6.1 Apr 20

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus

CVE-2017-3553 CRITICAL
9.9 Apr 24

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine). Rated c

Share

EUVD-2026-37399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy