Vulnerability Report

CVE-2026-21992

Title: Oracle Fusion Middleware Takeover via REST WebServices

Auth Bypass

Proof Of Concept

PoC Available for CVE-2026-21992

CWE Category NVD-CWE-noinfo

Published Date Mar 20, 2026

Modified Date Mar 23, 2026

Exploit Status Available

Score 9.8 CVSS v3.1

Exploit Probability (EPSS)

0.07%

Vulnerability Summary

CVE-2026-21992: Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices) and Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Impacted Vendors

novell 1

oracle 2

ca 1

Reference Links

https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns