CVE-2026-34283: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. in Oracle Corporation Oracle Identity Manager
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
AI Analysis
Technical Summary
This vulnerability affects Oracle Identity Manager components within Oracle Fusion Middleware, specifically versions 12.2.1.4.0 and 14.1.2.0.0. It is exploitable remotely over HTTP by unauthenticated attackers but requires user interaction from a third party. The vulnerability allows attackers to perform unauthorized read and modification operations on certain Oracle Identity Manager accessible data, indicating a scope change that may affect additional products. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, low confidentiality and integrity impact, and no availability impact. Oracle has included a patch for this vulnerability in its April 2026 Critical Patch Update, which addresses multiple security issues across Oracle products.
Potential Impact
Successful exploitation can result in unauthorized read access to some data and unauthorized update, insert, or delete operations on Oracle Identity Manager accessible data. The vulnerability affects confidentiality and integrity but does not impact availability. The scope of the vulnerability extends beyond Oracle Identity Manager to potentially impact additional products. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Oracle has released a patch for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers are strongly advised to apply this update promptly to mitigate the risk. Since this is a network-accessible vulnerability requiring user interaction, applying the official patch is the primary recommended mitigation. No vendor advisory indicates that no action is required or that the issue is already mitigated without patching.
CVE-2026-34283: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. in Oracle Corporation Oracle Identity Manager
Description
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle Identity Manager components within Oracle Fusion Middleware, specifically versions 12.2.1.4.0 and 14.1.2.0.0. It is exploitable remotely over HTTP by unauthenticated attackers but requires user interaction from a third party. The vulnerability allows attackers to perform unauthorized read and modification operations on certain Oracle Identity Manager accessible data, indicating a scope change that may affect additional products. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, low confidentiality and integrity impact, and no availability impact. Oracle has included a patch for this vulnerability in its April 2026 Critical Patch Update, which addresses multiple security issues across Oracle products.
Potential Impact
Successful exploitation can result in unauthorized read access to some data and unauthorized update, insert, or delete operations on Oracle Identity Manager accessible data. The vulnerability affects confidentiality and integrity but does not impact availability. The scope of the vulnerability extends beyond Oracle Identity Manager to potentially impact additional products. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Oracle has released a patch for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers are strongly advised to apply this update promptly to mitigate the risk. Since this is a network-accessible vulnerability requiring user interaction, applying the official patch is the primary recommended mitigation. No vendor advisory indicates that no action is required or that the issue is already mitigated without patching.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-03-26T19:48:45.676Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a419fe3cd2cdf9f882
Added to database: 4/21/2026, 9:01:24 PM
Last enriched: 4/21/2026, 10:02:35 PM
Last updated: 4/22/2026, 7:38:18 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.