This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0 and is classified under CWE-284 (Improper Access Control). It allows an unauthenticated attacker to gain unauthorized access over the network via HTTPS, enabling them to create, delete, or modify critical data accessible through the Oracle Identity Manager Connector. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates that the attack requires no privileges or user interaction and can be performed remotely with low complexity. Oracle's April 2026 Critical Patch Update advisory includes patches for this vulnerability, emphasizing the importance of applying these updates promptly to prevent exploitation.

Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data within Oracle Identity Manager Connector, compromising confidentiality and integrity of all accessible data. This could result in significant security breaches affecting data trustworthiness and system operations. There is no reported impact on availability. No known exploits are currently active in the wild.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers should promptly apply this update to affected versions, specifically Oracle Identity Manager Connector 12.2.1.4.0, to remediate the vulnerability. Oracle strongly recommends staying on actively-supported versions and applying Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory linked in the input data.