PatchSiren cyber security CVE debrief
CVE-2026-35267 Oracle Corporation CVE debrief
A high-severity vulnerability was found in Oracle Fusion Middleware's Identity Manager product, specifically in the REST WebServices component. The vulnerability is easily exploitable by a low-privileged attacker with network access via HTTP, potentially leading to a takeover of Identity Manager. This vulnerability, CVE-2026-35267, has a CVSS 3.1 Base Score of 8.8, indicating high confidentiality, integrity, and availability impacts. The affected versions are 12.2.1.4.0 and 14.1.2.1.0. An attacker with low privileges and network access via HTTP can easily exploit this vulnerability. To mitigate, apply the patch provided by Oracle Corporation as soon as possible, review and update access controls, monitor Identity Manager systems for suspicious activity, and consider implementing additional security measures such as Web Application Firewalls (WAFs).
- Vendor
- Oracle Corporation
- Product
- Identity Manager
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
System administrators and security teams responsible for Oracle Fusion Middleware and Identity Manager should prioritize patching this vulnerability to prevent potential takeovers.
Technical summary
The vulnerability, CVE-2026-35267, is in the Identity Manager product of Oracle Fusion Middleware, specifically in the REST WebServices component. Supported versions affected are 12.2.1.4.0 and 14.1.2.1.0. The vulnerability has a CVSS 3.1 Base Score of 8.8, indicating high confidentiality, integrity, and availability impacts. An attacker with low privileges and network access via HTTP can easily exploit this vulnerability, potentially leading to a complete takeover of Identity Manager.
Defensive priority
High priority should be given to patching this vulnerability due to its high CVSS score and the potential for a low-privileged attacker to exploit it, leading to a significant impact on confidentiality, integrity, and availability.
Recommended defensive actions
- Apply the patch provided by Oracle Corporation as soon as possible.
- Review and update access controls to ensure that only necessary personnel have access to Identity Manager.
- Monitor Identity Manager systems for any suspicious activity.
- Consider implementing additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
- Perform a thorough review of Identity Manager configurations to ensure they align with security best practices.
- Implement additional logging and monitoring to detect potential exploitation attempts.
- Conduct regular security audits to identify and address any potential vulnerabilities.
Evidence notes
The CVE record was published on 2026-06-17T10:40:18.920Z and was last modified on 2026-06-18T04:16:45.940Z. The NVD entry is currently Analyzed. Oracle Corporation has provided a vendor advisory for this vulnerability.
Official resources
-
CVE-2026-35267 CVE record
CVE.org
-
CVE-2026-35267 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:40:18.920Z and has not been modified since then. The NVD entry is currently Analyzed.