HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35267Published Modified CNA oracle

CVE-2026-35267: Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices)

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authenticated remote code execution (or full-compromise) vulnerability affects the REST WebServices component of Oracle Identity Manager, part of Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. The flaw is reachable over the network via HTTP and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives an attacker complete control over the Identity Manager instance, covering confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-35267 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that package Oracle Fusion Middleware components. No manual configuration is required to receive coverage.

Available
Triage

Triage is available with the CVSS 3.1 score of 8.8 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine urgency and routing. Findings are delivered to the configured inbox or ticketing integration for the relevant team inside each customer environment.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy recommendations, such as restricting HTTP access to the REST WebServices endpoint to known, trusted network segments.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Identity Manager REST WebServices endpoint over the network via HTTP; the service must be exposed to the attacker's network segment.

  • AuthenticationRequired

    A valid account is required, but any low-privilege user credential is sufficient; no administrative or elevated role is needed.

  • Victim interactionNot required

    The attack is fully attacker-driven and does not require any action from a logged-in user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • A successful attacker reads all data managed by Identity Manager, including user identities, credentials, roles, and access entitlements stored in the system.
  • The attacker can modify or delete identity records, role assignments, and access policies, corrupting the authorization state across any downstream system that trusts Identity Manager.
  • The attacker can crash or render the Identity Manager service unavailable, blocking authentication and provisioning workflows for dependent applications.
  • Full system takeover is possible, meaning the attacker can pivot from the Identity Manager process to other resources reachable from the host.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-35267 is flagged at HIGH severity (CVSS 8.8) and matched against any image in a connected registry or pipeline that includes Oracle Identity Manager 12.2.1.4.0 or 14.1.2.1.0. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment an upstream fix is available. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention. In the interim, HarborGuard recommends applying network-policy controls to restrict HTTP access to the REST WebServices endpoint to explicitly trusted IP ranges or internal network segments only, reducing the pool of potential attackers from any network-connected low-privilege user to a much smaller set. Egress filtering and service-mesh authorization policies scoped to known consumers of the Identity Manager API are also viable compensating controls until Oracle ships a patch.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Identity Manager
    12.2.1.4.0 · 14.1.2.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References