This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0, specifically the Microsoft Active Directory component. It permits a low privileged attacker with network access via LDAP to compromise the connector, enabling unauthorized creation, deletion, or modification of critical data or all accessible data, and unauthorized read access to some data. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, low confidentiality impact, high integrity impact, and no availability impact. The vulnerability is classified as medium severity with a CVSS score of 5.9. Oracle’s April 2026 Critical Patch Update advisory includes patches addressing this and other vulnerabilities, urging customers to apply updates without delay.

If exploited, an attacker with low privileges and network access via LDAP could gain unauthorized capabilities to create, delete, or modify critical or all accessible data within the Oracle Identity Manager Connector. Additionally, unauthorized read access to a subset of data is possible. This compromises data integrity and confidentiality to varying degrees but does not affect availability. The vulnerability is difficult to exploit and no known exploits have been reported in the wild.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers are strongly advised to apply the April 2026 CPU promptly to mitigate this vulnerability. No alternative or temporary mitigations are specified by Oracle. Patch status is confirmed by the vendor advisory. There is no indication that this is a cloud service; thus, patching must be performed by customers on affected versions.