How is CVE-2026-35269 exploited?

Network reachability (required): The attacker must reach the Identity Manager REST WebServices endpoint over the network via HTTP; no local access or physical proximity is needed. Authentication (not-required): No credentials of any privilege level are required; the vulnerable endpoint is accessible to unauthenticated requests. Victim interaction (not-required): The attack is fully server-side and completes without any action from a logged-in user or administrator. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies required to succeed.

What is the impact of CVE-2026-35269?

Attacker creates new identity records or administrative accounts inside Identity Manager, enabling persistent unauthorized access. Attacker modifies existing user roles, entitlements, or access policies across any resource Identity Manager governs. Attacker deletes identity or access records, disrupting provisioning workflows and audit trails. All data accessible to Identity Manager is in scope for tampering, not just a subset of records.

Back to search

HIGHCVE-2026-35269Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35269: Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices)

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Identity Manager accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated integrity-bypass vulnerability exists in the REST WebServices component of Oracle Identity Manager (versions 12.2.1.4.0 and 14.1.2.1.0). The flaw is reachable over HTTP from any network location and requires no credentials or victim interaction to trigger. Successful exploitation gives an attacker full ability to create, delete, or modify any data that Identity Manager can access, including critical identity and access records. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-35269 is available across all HarborGuard environments, with the CVE matched against customer images within minutes of publication from upstream Oracle and NVD feeds. Matching runs against all images in connected registries and CI/CD pipelines, including custom-built images that package Identity Manager components.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights findings against each customer organization's configured compliance policy. Alerts are routed to the appropriate team inbox within each organization based on image ownership and policy thresholds.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, compensating controls such as network-policy isolation and egress filtering can be applied where supported by customer environment configuration.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Identity Manager REST WebServices endpoint over the network via HTTP; no local access or physical proximity is needed.
AuthenticationNot required
No credentials of any privilege level are required; the vulnerable endpoint is accessible to unauthenticated requests.
Victim interactionNot required
The attack is fully server-side and completes without any action from a logged-in user or administrator.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies required to succeed.

Blast Radius

Attacker creates new identity records or administrative accounts inside Identity Manager, enabling persistent unauthorized access.
Attacker modifies existing user roles, entitlements, or access policies across any resource Identity Manager governs.
Attacker deletes identity or access records, disrupting provisioning workflows and audit trails.
All data accessible to Identity Manager is in scope for tampering, not just a subset of records.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35269 is active across connected environments, with images flagged at 7.5 HIGH severity as soon as they are scanned. Because Oracle has not yet released a fix for affected versions 12.2.1.4.0 and 14.1.2.1.0, no patched-image rebuild is currently available. HarborGuard re-evaluates the advisory on every ingest cycle and will surface a rebuild and, for customers with auto-remediation enabled, open a patch PR automatically the moment Oracle publishes a fix. In the meantime, customers are advised to consider network-policy controls that restrict HTTP access to Identity Manager REST endpoints to trusted source ranges only, and to review egress filtering rules to limit the blast radius if the service is compromised.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Identity Manager
12.2.1.4.0 · 14.1.2.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Oracle Advisory

Metrics

Get notified