This vulnerability affects Oracle Identity Manager components in versions 12.2.1.4.0 and 14.1.2.1.0. It permits an unauthenticated attacker with network access via the IIOP protocol to compromise the system by gaining unauthorized read and write access to certain Identity Manager data. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. Oracle's June 2026 Critical Security Patch Update includes patches addressing this and many other vulnerabilities. Oracle strongly advises customers to apply these patches without delay to prevent exploitation. Until patches are applied, risk can be partially mitigated by blocking relevant network protocols or restricting privileges, though these measures may affect application functionality.

Successful exploitation allows an unauthenticated attacker to read, insert, update, or delete some data accessible through Oracle Identity Manager, compromising confidentiality and integrity of that data. There is no impact on system availability. The vulnerability is exploitable remotely over the network via IIOP without authentication, increasing the risk of unauthorized data manipulation or disclosure.

Oracle has released security patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation (such as IIOP) or by removing unnecessary privileges and access to relevant packages from users who do not require them. However, these workarounds may disrupt normal application functionality. Oracle recommends remaining on actively supported versions and applying security patches without delay.