CVE-2026-46792 is a critical security vulnerability in Oracle Fusion Middleware Identity Manager Connector (Generic Unix Connector component) affecting versions 12.2.1.4.0 and 14.1.2.1.0. It allows a low privileged attacker with network access via HTTP to compromise the product, resulting in a complete takeover of the Identity Manager Connector. The vulnerability has a CVSS 3.1 score of 9.9, indicating high impact on confidentiality, integrity, and availability. The vulnerability also has scope change implications, potentially affecting additional Oracle products. Oracle has addressed this vulnerability in the June 2026 Critical Security Patch Update and advises customers to apply patches without delay. Until patched, risk reduction may be achieved by blocking network protocols required for exploitation and removing unnecessary privileges, though these may affect functionality.

Successful exploitation of this vulnerability can lead to full compromise of the Oracle Identity Manager Connector, impacting confidentiality, integrity, and availability of the system. Due to scope change, other Oracle products integrated with or dependent on the Identity Manager Connector may also be significantly impacted. The vulnerability is easily exploitable by a low privileged attacker with network access via HTTP, increasing the risk of widespread compromise if unpatched.

Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly to remediate the vulnerability. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation and by removing unnecessary privileges from users who do not require them, though these measures may disrupt normal application functionality. Oracle recommends remaining on actively supported versions and applying security patches without delay.