Oracle Critical Patch Update Fixes High-Severity Flaws in Enterprise Manager, Identity Manager, and PeopleTools
Oracle disclosed three high-severity vulnerabilities affecting core enterprise products in its Critical Patch Update advisory. CVE-2026-34279 impacts the Event Management component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 and is rated CVSS 9.1; Oracle said a high-privileged attacker with network access over HTTP could exploit the flaw to take over the platform, with potential impact extending to additional products because of a scope change. CVE-2026-34286, also rated CVSS 9.1, affects the Core component of Oracle Identity Manager Connector in Oracle Fusion Middleware version 12.2.1.4.0 and can be exploited by an unauthenticated attacker over HTTPS.
Oracle also reported CVE-2026-34309 in the Security component of PeopleSoft Enterprise PeopleTools versions 8.61 through 8.62, assigning it a CVSS 8.1 score. The flaw is described as easily exploitable by a low-privileged attacker with network access over HTTP and could allow unauthorized creation, deletion, or modification of critical data, along with access to sensitive or complete accessible data. Across the three disclosures, Oracle warned that successful exploitation could result in platform compromise, data tampering, and broad unauthorized access in widely deployed enterprise management and identity systems.
Timeline
Apr 21, 2026
Oracle discloses CVE-2026-34309 in PeopleSoft Enterprise PeopleTools
Oracle's April 2026 Critical Patch Update advisory also discloses CVE-2026-34309 in the Security component of PeopleSoft Enterprise PeopleTools versions 8.61 through 8.62. Oracle says a low-privileged attacker with HTTP network access could exploit it to access or modify critical data; the issue carries a CVSS 8.1 score.
Apr 21, 2026
Oracle discloses CVE-2026-34286 in Identity Manager Connector
Oracle disclosed CVE-2026-34286 in the April 2026 Critical Patch Update advisory as affecting the Core component of Oracle Identity Manager Connector version 12.2.1.4.0. The vulnerability is described as remotely exploitable by an unauthenticated attacker over HTTPS and could allow unauthorized data access or modification; Oracle assigned it a CVSS 9.1 score.
Apr 21, 2026
Oracle publishes April 2026 CPU with CVE-2026-34279 for Enterprise Manager
Oracle's April 2026 Critical Patch Update advisory includes CVE-2026-34279, affecting the Event Management component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. Oracle says the flaw is easily exploitable by a high-privileged attacker over HTTP and could enable takeover of the platform, with a CVSS 9.1 score.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Oracle Critical Patch Update Addresses Multiple High-Risk Enterprise Product Flaws
Oracle-related security advisories were issued for multiple enterprise products, including **Oracle Database Server**, **Oracle Fusion Middleware**, **Oracle REST Data Services**, **Oracle Java SE**, **Oracle Financial Services Applications**, and **Oracle E-Business Suite**. Germany's dCERT published separate advisories for each affected product line, indicating broad exposure across core Oracle infrastructure and business application environments. One of the disclosed flaws, **`CVE-2026-34275`**, affects the **Setup and Administration** component of **Oracle Advanced Inbound Telephony** in **Oracle E-Business Suite** versions **12.2.3 through 12.2.15**. Oracle rated the issue **critical** with a **CVSS v3.1 score of 9.8**, stating that an **unauthenticated attacker** with **network access over HTTP** could exploit it to achieve **full takeover** of the affected application. The vulnerability was disclosed as part of Oracle's broader Critical Patch Update, underscoring the need for organizations running Oracle platforms to prioritize patch review and remediation across exposed systems.
2 weeks ago
Oracle January Critical Patch Update Fixes CVSS 10.0 Oracle Fusion Middleware Flaw
Oracle released its January 2026 *Critical Patch Update (CPU)*, delivering **337 security updates addressing 158 unique CVEs** across roughly 30 product families; **27** of the updates were rated **critical**. Tenable’s analysis highlights broad exposure to remotely exploitable issues without authentication across multiple Oracle product lines, and notes **CVE-2026-21945**, a high-severity **SSRF** issue in Oracle Java, was discovered by Tenable Research. A standout issue in the CPU is **CVE-2026-21962** (CVSS **10.0**), an **easily exploitable, unauthenticated, network-reachable (HTTP)** vulnerability in Oracle Fusion Middleware components **Oracle HTTP Server** and the **WebLogic Server Proxy Plug-ins** (Apache and IIS). Successful exploitation can enable **unauthorized creation, deletion, or modification of critical data** and potentially broader downstream impact due to a **scope change** (`S:C`), meaning compromise may significantly affect additional products; affected versions include **12.2.1.4.0**, **14.1.1.0.0**, and **14.1.2.0.0** (with the IIS proxy plug-in affected in **12.2.1.4.0** only).
1 months ago
Oracle Warns of Critical Unauthenticated RCE in Identity Manager and Web Services Manager
Oracle issued an out-of-band Security Alert for `CVE-2026-21992`, a critical unauthenticated remote code execution flaw affecting Oracle Fusion Middleware deployments that use Oracle Identity Manager and Oracle Web Services Manager. The vulnerability carries a CVSS 3.1 score of **9.8** and can be exploited remotely over the network with low complexity and no user interaction, raising particular concern for internet-facing systems. Oracle said the flaw affects the REST Web Services component in Oracle Identity Manager and the Web Services Security module in Oracle Web Services Manager. Successful exploitation could result in full system compromise, including credential theft and lateral movement, and the company urged customers to apply available patches immediately. Oracle also warned that organizations running unsupported versions should upgrade to supported releases, as fixes are only provided under Premier Support or Extended Support.
1 months ago