This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0 and allows an unauthenticated attacker with network access over HTTPS to compromise the system. Successful exploitation can result in unauthorized creation, deletion, or modification of critical data or full access to all data accessible by the Oracle Identity Manager Connector. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates that the attack requires no privileges or user interaction and can be performed remotely with low complexity, impacting confidentiality and integrity severely. Oracle has acknowledged this vulnerability in its April 2026 Critical Patch Update advisory and recommends applying the patches provided in this update.

The vulnerability allows an unauthenticated remote attacker to gain unauthorized access to critical data managed by Oracle Identity Manager Connector, including the ability to create, delete, or modify such data. This compromises the confidentiality and integrity of the affected system's data, potentially leading to significant security breaches. There is no reported impact on system availability. No known exploits have been reported in the wild so far.

Oracle has addressed this vulnerability in its April 2026 Critical Patch Update. Customers are strongly advised to apply the April 2026 Critical Patch Update for Fusion Middleware products, which includes patches for this vulnerability. Since the product is not a cloud service, remediation requires applying the official patches provided by Oracle. Patch status is confirmed by the vendor advisory. No alternative mitigations or workarounds are specified in the advisory.