HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35268Published Modified CNA oracle

CVE-2026-35268: Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core)

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Identity Manager. While the vulnerability is in Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical-severity authentication-bypass-to-takeover vulnerability affects Oracle Identity Manager (component: Core), versions 12.2.1.4.0 and 14.1.2.1.0. The flaw is reachable over the network via the T3 and IIOP protocols and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full control over the Identity Manager instance, with scope change meaning the compromise can spill into additional products and systems beyond Identity Manager itself. No upstream fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Oracle ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-35268 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images layering Oracle Identity Manager components. Any image carrying an affected version (12.2.1.4.0 or 14.1.2.1.0) is flagged immediately in the customer registry and CI pipeline scan results.

Available
Triage

HarborGuard triage is available with the full CVSS 3.1 score of 9.9 (Critical) surfaced on every matched finding, giving teams an immediate severity signal without manual lookup. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the appropriate inbox or ticketing integration configured within each customer organization.

Available
Patch

Because no upstream fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the corrected version the moment Oracle publishes one. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Identity Manager service over the network via the T3 or IIOP protocol; no local or physical access is needed.

  • AuthenticationRequired

    A low-privileged account is sufficient; the attacker does not need administrative credentials, but some valid credential is required.

  • Victim interactionNot required

    No user interaction is needed; the attacker can exploit the vulnerability entirely without involving another person.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental preconditions.

Blast Radius

  • Reads all data managed by Identity Manager, including stored credentials, user accounts, roles, and entitlement assignments.
  • Modifies or deletes Identity Manager configuration, user records, and access policies, enabling privilege escalation across managed systems.
  • Crashes or degrades the Identity Manager service, blocking authentication and provisioning workflows for dependent applications.
  • Because the CVSS scope is changed, a successful attacker can pivot to other products and infrastructure that trust or integrate with Identity Manager.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35268 is active against all customer images the moment the advisory was ingested, with the 9.9 Critical severity score and scope-change flag surfaced on every matched finding. Because Oracle has not yet published a fix for versions 12.2.1.4.0 or 14.1.2.1.0, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically when an upstream fix ships. In the interim, compensating controls available through HarborGuard include network-policy isolation rules that can restrict T3 and IIOP port exposure, egress filtering recommendations to limit the blast radius of a scope-change compromise, and continuous advisory monitoring so no patch release goes undetected. For customers who opt into auto-remediation, the patched rebuild will trigger a regression test run and a PR against affected workloads with no manual steps required.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Identity Manager
    12.2.1.4.0 · 14.1.2.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References