Oracle issues emergency patch for critical pre-auth remote code execution vulnerability in Identity Manager

Oracle urgently patched a critical security flaw (CVE-2026-21992) affecting Oracle Identity Manager and Oracle Web Services Manager. The vulnerability stems from missing authentication on a critical function, enabling remote code execution without requiring credentials. Although there is no confirmed evidence of active exploitation, the severity and ease of exploitation prompted Oracle to issue an emergency fix and recommend immediate application of updates or mitigations to protect affected systems.