External risk intelligence

Oracle Identity Manager Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46807

A critical vulnerability in Oracle Identity Manager allows unauthenticated network attackers to achieve a full takeover of the system. This issue impacts the confidentiality, integrity, and availability of identity management services.

Missing Authentication

Oracle Identity Manager

12.2.1.4.014.1.2.1.0

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

Oracle Identity Manager is a centralized identity and access management solution. These systems are designed to be internet-facing or widely accessible across enterprise networks to manage user identities, authentication, and provisioning, making the component reachable by design.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle's Identity Manager product within its Fusion Middleware. This issue is easily exploitable by unauthenticated attackers over the network, potentially allowing them to completely take over the Identity Manager system, which manages user identities and access.

Unauthenticated network attackers can fully control Identity Manager.
Identity management systems are vital for secure access.
Confirm if this affects your sensitive identity operations.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can reach Oracle Identity Manager over the network using specific protocols and interact with its legacy user interface. This interaction targets a vulnerability within the Identity Manager component, which, when successfully triggered, can lead to the complete takeover of the system.

Network access required.
Vulnerable component: Identity Manager legacy UI.
Risk: Full system takeover.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker with network access could compromise Oracle Identity Manager, potentially leading to a full takeover of the system. This could impact the confidentiality, integrity, and availability of the Identity Manager service when accessed via T3 or IIOP protocols.

Identity Manager system data at risk.
Network access could allow compromise.
Takeover of Identity Manager service.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Identity Manager product is likely managed by application owners within the Identity and Access Management (IAM) domain, supported by infrastructure and platform teams. The first practical step is to locate all instances of the affected Identity Manager, determine their reachability and business criticality, identify the accountable owner, and then prioritize remediation efforts based on assessed risk.

IAM application owners should lead remediation.
Verify instance reachability and business impact.
Plan and coordinate remediation activities.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-46807 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle Identity Manager is easily exploitable by unauthenticated attackers over the network, potentially leading to full system compromise.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Identity Manager?

Oracle Identity Manager is a core component of Oracle Fusion Middleware used by organizations to centrally manage user identities, access rights, and automated provisioning across their technology stack. It serves as a foundational security tool that controls who can access what systems, acting as a gatekeeper for enterprise data and application permissions.

What does CVE-2026-46807 mean?

CVE-2026-46807 identifies a Missing Authentication for Critical Function (CWE-306) vulnerability. In plain terms, the software fails to verify the identity of someone requesting access to the system. Because this check is missing, an unauthorized user can interact with the legacy user interface and execute commands as if they were a legitimate administrator, leading to full control over the Identity Manager.

How is this vulnerability triggered?

An attacker triggers this bug by sending specific requests over the network using T3 or IIOP protocols to the affected Legacy UI component. The vulnerability requires direct network connectivity to the Identity Manager; it cannot be triggered if the system is completely isolated from the network or if traffic to these specific protocols is strictly blocked at the perimeter.

Who should be concerned about this vulnerability?

Organizations running Oracle Identity Manager versions 12.2.1.4.0 or 14.1.2.1.0 should prioritize this. Halo Surface Signal notes that because these systems are designed to manage widespread enterprise identity and access, they are often reachable across broad networks or may be internet-facing by design, significantly increasing the risk of an unauthenticated attack reaching the vulnerable component.

How do I respond to this threat?

Begin by identifying all running instances of Identity Manager within your environment to understand your footprint. Coordinate with the identity and access management teams to determine which instances are reachable over your network. Once you have identified these systems, assess their business criticality and prepare to apply vendor-supplied updates or mitigation guidance to eliminate the authentication gap.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.