How is CVE-2026-35265 exploited?

Network reachability (required): The attacker must reach the Identity Manager service over the network via HTTP; no physical or local access is required. Authentication (required): Any valid low-privilege account is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attack completes without any action from a logged-in user or administrator. Attack complexity (info): The exploit is rated low complexity, meaning it is reliable and does not depend on race conditions or specific memory layout.

What is the impact of CVE-2026-35265?

A successful attacker reads all data stored in Identity Manager, including user credentials, role assignments, entitlements, and audit logs. The attacker can modify or delete identity records, role assignments, and access policies across every managed system. The attacker can crash or render the Identity Manager service unavailable, blocking authentication and provisioning workflows for dependent applications. Because Identity Manager governs access to downstream systems, compromise enables lateral movement into any system whose access is brokered through it.

Back to search

HIGHCVE-2026-35265Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35265: Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security)

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unspecified security flaw in the Security component of Oracle Identity Manager (versions 12.2.1.4.0 and 14.1.2.1.0) allows a low-privileged attacker to reach the service over HTTP and fully compromise the product. No authentication beyond a basic account is needed, and no victim interaction is required. Successful exploitation gives the attacker full control over the Identity Manager instance, including read, write, and denial-of-service capability. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-35265 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle Identity Manager components. No manual triage step is needed to trigger the scan.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 8.8 (HIGH) and weights it against each environment's configured compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available

Patch

Because no fix version has been published by Oracle, no patched-image rebuild is available yet. HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Identity Manager service over the network via HTTP; no physical or local access is required.
AuthenticationRequired
Any valid low-privilege account is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attack completes without any action from a logged-in user or administrator.
Attack complexityDetail
The exploit is rated low complexity, meaning it is reliable and does not depend on race conditions or specific memory layout.

Blast Radius

A successful attacker reads all data stored in Identity Manager, including user credentials, role assignments, entitlements, and audit logs.
The attacker can modify or delete identity records, role assignments, and access policies across every managed system.
The attacker can crash or render the Identity Manager service unavailable, blocking authentication and provisioning workflows for dependent applications.
Because Identity Manager governs access to downstream systems, compromise enables lateral movement into any system whose access is brokered through it.

How HarborGuard Handles This

Available on HarborGuard: images containing Oracle Identity Manager 12.2.1.4.0 or 14.1.2.1.0 are flagged immediately upon scan with a HIGH severity alert (CVSS 8.8). Because Oracle has not yet published a fix, no automated rebuild or PR flow is triggered at this time. HarborGuard re-evaluates the advisory every ingest cycle so the rebuild pipeline activates the moment Oracle ships a patch; customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual steps. While no patch exists, recommended compensating controls include restricting network access to Identity Manager endpoints via Kubernetes NetworkPolicy or equivalent firewall rules, enforcing egress filtering to limit blast radius if the service is compromised, and auditing low-privilege accounts with HTTP access to the affected component. Teams may also consider feature-flag gating or temporary suspension of non-essential Identity Manager functionality until Oracle releases a fix.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Identity Manager
12.2.1.4.0 · 14.1.2.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified