ORACLE has disclosed a critical RCE flaw in Fusion Middleware, labeled CVE-2026-21992, which affects the Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM). The security alert notes that the vulnerability enables remote code execution and requires no authentication to exploit, with the exploit potentially allowing attackers to manipulate identities, roles and policies, as well as disable security policies and access sensitive data.
The issue has been ranked with a CVSS score of 9.8 on the CVSS scale, and is related to the HTTP API surface of Oracle’s identity and web services security stack; versions affected include 12.2.1[.]4.0 and 14.1.2[.]1.0, with a possible link to a prior OIM vulnerability, CVE-2025-61757, discussed by researchers though not evidenced by Oracle’s advisory.
So far there is no public evidence of exploitation in the wild, but analysts warn the blast radius could be significant and note that OIM is deployed at north of 1,000 organisations, including large multinationals such as Walmart, Huawei and ExxonMobil, according to Enlyft and Landbase. Oracle usually spaces fixes into quarterly updates, except for such urgent issues, and there is speculation that attackers may already be preparing exploits if the exposed endpoint is reachable.