This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0 and permits an unauthenticated remote attacker to exploit it over HTTPS without user interaction or privileges. Successful exploitation can result in unauthorized creation, deletion, or modification of critical data accessible through the Oracle Identity Manager Connector. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality and integrity impact without availability impact. Oracle has addressed this vulnerability in its April 2026 Critical Patch Update, which includes cumulative patches for multiple products including Oracle Fusion Middleware components.

An attacker exploiting this vulnerability can gain unauthorized access to critical data managed by Oracle Identity Manager Connector, including the ability to create, delete, or modify such data. This compromises the confidentiality and integrity of the data but does not affect availability. The vulnerability is remotely exploitable without authentication, increasing the risk of compromise if unpatched.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers should promptly apply the April 2026 Critical Patch Update to mitigate this vulnerability. Oracle strongly recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.