An out-of-band security update was released yesterday to fix a critical unauthenticated remote code execution vulnerability tracked as CVE-2026-21992 in Identity Manager and Web Services Manager, rated CVSS v3.1 9.8.
KEY FACTS
- Incident Critical unauthenticated remote code execution vulnerability
- CVE CVE-2026-21992
- Severity CVSS v3.1 score 9.8
- Affected products Identity Manager and Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
- Exploitability Remotely exploitable over HTTP without authentication and low complexity
In a security advisory Oracle said the flaw is remotely exploitable without authentication and may result in remote code execution and strongly recommended customers apply the updates or mitigations as soon as possible.
The vulnerability carries a CVSS v3.1 severity score of 9.8. Affected versions include Identity Manager 12.2.1.4.0 and 14.1.2.1.0 and Web Services Manager 12.2.1.4.0 and 14.1.2.1.0. The flaw is low complexity and exploitable over HTTP without authentication or user interaction, which increases risk for exposed servers.
The fix was released through the Security Alert program that provides out-of-schedule fixes or mitigations for critical or actively exploited vulnerabilities. Patches from this program are offered only for versions under Premier or Extended Support, leaving older unsupported releases potentially vulnerable. The advisory does not disclose whether the vulnerability has been exploited and the company declined to comment when asked.
WHY IT MATTERS
An unauthenticated remote code execution flaw with a 9.8 score can allow attackers to take control of affected systems, raising operational and data risk for organisations that expose these services. Administrators should apply the Security Alert patches or mitigations promptly.