Oracle Identity Manager Connector Flaws Expose Critical Data to Unauthenticated Attackers
Oracle disclosed three high-severity vulnerabilities in the Oracle Identity Manager Connector component of Oracle Fusion Middleware, tracked as CVE-2026-34285, CVE-2026-34286, and CVE-2026-34287. The flaws affect supported version 12.2.1.4.0 and are described as easily exploitable by unauthenticated attackers with network access over HTTPS, including issues in the product's Core component.
Successful exploitation could allow attackers to create, delete, or modify critical data and gain unauthorized access to sensitive information, including potentially complete access to all data reachable through the Oracle Identity Manager Connector. Oracle assigned each vulnerability a CVSS v3.1 score of 9.1, citing high confidentiality and integrity impact with no availability impact, and referenced the issues in its Critical Patch Update advisory.
Timeline
Apr 21, 2026
Oracle discloses three critical Oracle Identity Manager Connector flaws
Oracle disclosed CVE-2026-34285, CVE-2026-34286, and CVE-2026-34287 affecting Oracle Identity Manager Connector in Oracle Fusion Middleware version 12.2.1.4.0. The vulnerabilities were described as easily exploitable by unauthenticated attackers over HTTPS/network access and could allow unauthorized modification of critical data and access to connector-accessible data; each was rated CVSS 9.1.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Oracle Warns of Critical Unauthenticated RCE in Identity Manager and Web Services Manager
Oracle issued an out-of-band Security Alert for `CVE-2026-21992`, a critical unauthenticated remote code execution flaw affecting Oracle Fusion Middleware deployments that use Oracle Identity Manager and Oracle Web Services Manager. The vulnerability carries a CVSS 3.1 score of **9.8** and can be exploited remotely over the network with low complexity and no user interaction, raising particular concern for internet-facing systems. Oracle said the flaw affects the REST Web Services component in Oracle Identity Manager and the Web Services Security module in Oracle Web Services Manager. Successful exploitation could result in full system compromise, including credential theft and lateral movement, and the company urged customers to apply available patches immediately. Oracle also warned that organizations running unsupported versions should upgrade to supported releases, as fixes are only provided under Premier Support or Extended Support.
1 months ago
Oracle Critical Patch Update Fixes High-Severity Flaws in Enterprise Manager, Identity Manager, and PeopleTools
Oracle disclosed three high-severity vulnerabilities affecting core enterprise products in its Critical Patch Update advisory. **CVE-2026-34279** impacts the Event Management component of Oracle Enterprise Manager Base Platform versions `13.5` and `24.1` and is rated `CVSS 9.1`; Oracle said a high-privileged attacker with network access over HTTP could exploit the flaw to take over the platform, with potential impact extending to additional products because of a scope change. **CVE-2026-34286**, also rated `CVSS 9.1`, affects the Core component of Oracle Identity Manager Connector in Oracle Fusion Middleware version `12.2.1.4.0` and can be exploited by an unauthenticated attacker over HTTPS. Oracle also reported **CVE-2026-34309** in the Security component of PeopleSoft Enterprise PeopleTools versions `8.61` through `8.62`, assigning it a `CVSS 8.1` score. The flaw is described as easily exploitable by a low-privileged attacker with network access over HTTP and could allow unauthorized creation, deletion, or modification of critical data, along with access to sensitive or complete accessible data. Across the three disclosures, Oracle warned that successful exploitation could result in platform compromise, data tampering, and broad unauthorized access in widely deployed enterprise management and identity systems.
2 weeks ago
Critical RCE Vulnerability in Oracle Fusion Middleware (CVE-2025-61757)
A critical vulnerability, CVE-2025-61757, has been identified in Oracle Fusion Middleware's Identity Manager component, allowing remote, unauthenticated attackers to achieve arbitrary remote code execution. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging all organizations, especially those in the federal sector, to prioritize remediation. The affected versions include Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, and exploitation could result in complete system compromise. Security researchers recommend immediate upgrades to patched versions to mitigate risk. Tools such as runZero can assist organizations in identifying vulnerable Oracle Identity Manager installations using queries like `vendor:="Oracle" product:="Identity Manager"`. CISA's Binding Operational Directive 22-01 mandates federal agencies to remediate KEV-listed vulnerabilities by specified deadlines, but all organizations are strongly encouraged to address this critical issue promptly to reduce exposure to active threats.
1 months ago