HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35294Published Modified CNA oracle

CVE-2026-35294: Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Mainframe Connectors)

Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Mainframe Connectors). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager Connector. While the vulnerability is in Identity Manager Connector, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager Connector. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical-severity flaw in Oracle Identity Manager Connector (Mainframe Connectors component), affecting versions 12.2.1.4.0 and 14.1.2.1.0, allows a low-privileged attacker to reach the service over HTTP and fully compromise the product. Successful exploitation gives the attacker complete control over Identity Manager Connector, with confirmed scope change meaning the impact spills into other connected systems beyond the directly attacked product. No fix versions have been published by Oracle as of this record; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment Oracle ships one.

HarborGuard Coverage

Detection

Detection for CVE-2026-35294 is available across every HarborGuard environment. The CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer registry images, including custom-built images layering Oracle Fusion Middleware components.

Available
Triage

HarborGuard triage capability scores this CVE at CVSS 9.9 Critical, surfacing it at the top of the severity queue. Per-environment compliance policy weighting is applied, and the finding is routed to the appropriate security or platform inbox within each customer organization.

Available
Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle; when Oracle publishes a patch, a patched-image rebuild at that version will become available automatically. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Identity Manager Connector service over the network via HTTP; no physical or local access is needed.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker does not need administrative credentials, but unauthenticated access alone is not enough.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker exploits the service directly.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable with no race conditions or special environmental prerequisites required.

Blast Radius

  • A successful attacker reads all data managed by Identity Manager Connector, including identity records, credentials, and mainframe account mappings.
  • The attacker writes to or modifies identity and account data, enabling privilege escalation, account takeover, or fraudulent provisioning across connected mainframe systems.
  • The attacker crashes or makes Identity Manager Connector unavailable, disrupting authentication and provisioning workflows for dependent systems.
  • Because the CVSS scope is changed, the compromise extends beyond Identity Manager Connector itself into other Oracle Fusion Middleware products and systems that trust it for identity decisions.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35294 is matched against images on every ingest cycle, covering both vendor-supplied and internally built images that include Oracle Identity Manager Connector 12.2.1.4.0 or 14.1.2.1.0. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on each ingest pass and will make a patched-image rebuild available the moment Oracle ships a corrected version. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuild, an automated regression run, and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls available for review include network-policy isolation to restrict HTTP access to Identity Manager Connector to known trusted callers only, egress filtering to limit lateral movement from a compromised connector instance, and tightening account provisioning to reduce the pool of low-privilege accounts that can reach the exposed endpoint.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Identity Manager Connector
    12.2.1.4.0 · 14.1.2.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References