This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0, specifically the Microsoft Active Directory component. It permits a low privileged attacker with network access via LDAP to compromise the connector, resulting in unauthorized modification and partial unauthorized reading of accessible data. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, low confidentiality impact, high integrity impact, and no availability impact. Oracle has released a Critical Patch Update in April 2026 that includes patches addressing this vulnerability among others. No known exploits are reported in the wild at this time.

Successful exploitation can lead to unauthorized creation, deletion, or modification of critical or all accessible data within Oracle Identity Manager Connector, as well as unauthorized read access to a subset of data. This impacts data integrity significantly and confidentiality to a lesser extent. There is no impact on availability. The vulnerability requires network access via LDAP and is difficult to exploit, limiting the attack surface to some degree.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers should apply this update promptly to remediate the vulnerability. There is no indication from the vendor advisory that the vulnerability is already mitigated or requires no action. Patch status is confirmed by the vendor advisory. No additional mitigations are specified beyond applying the official patch.