Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46793

CVE-2026-46793: Oracle Identity Manager Auth Bypass Flaw

CVE-2026-46793 is an authentication bypass vulnerability in Oracle Identity Manager Connector that enables complete system takeover with a CVSS score of 9.9. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-46793 Overview

CVE-2026-46793 is an access control vulnerability [CWE-284] affecting the Database User component of Oracle Identity Manager Connector, part of Oracle Fusion Middleware. The flaw allows a low-privileged attacker with network access over HTTP to compromise the Identity Manager Connector. Because the vulnerability triggers a scope change, successful exploitation can impact additional products beyond the connector itself. Oracle published the advisory on June 17, 2026, affecting Oracle Identity Manager Connector versions 12.2.1.4.0 and 14.1.2.1.0.

Critical Impact

Attackers with low privileges and network access can achieve full takeover of Oracle Identity Manager Connector, with confidentiality, integrity, and availability impact extending to additional connected products.

Affected Products

  • Oracle Identity Manager Connector 12.2.1.4.0
  • Oracle Identity Manager Connector 14.1.2.1.0
  • Oracle Fusion Middleware deployments using the Database User component

Discovery Timeline

  • 2026-06-17 - Oracle releases security alert cspujun2026
  • 2026-06-17 - CVE-2026-46793 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-46793

Vulnerability Analysis

The vulnerability resides in the Database User component of Oracle Identity Manager Connector. The connector synchronizes identity data between Oracle Identity Manager and downstream database targets, brokering account provisioning, password updates, and entitlement changes. Improper access control [CWE-284] in this component allows an authenticated attacker with low privileges to perform actions reserved for higher-privileged roles.

Exploitation occurs over HTTP and does not require user interaction. The scope-changing nature of the flaw means that compromised privileges in the connector extend into downstream products that trust its identity operations. An attacker can therefore pivot from a constrained connector role into administrative control of integrated systems.

Successful exploitation results in full compromise of Identity Manager Connector, with impact to confidentiality, integrity, and availability of identity data and the systems it manages.

Root Cause

The root cause is improper access control in the Database User component. Authorization checks fail to enforce the privilege boundary between low-privileged authenticated users and operations that should require elevated roles. The connector does not adequately validate the requesting principal before performing privileged identity operations.

Attack Vector

The attack vector is network-based over HTTP. The attacker must possess valid low-privileged credentials to the connector. After authentication, the attacker issues crafted HTTP requests to the connector's exposed interfaces to invoke privileged identity management operations. Because the connector mediates downstream identity changes, the attacker can manipulate database user accounts and propagate impact to additional Oracle Fusion Middleware products.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.402%. Refer to the Oracle Security Alert for vendor technical details.

Detection Methods for CVE-2026-46793

Indicators of Compromise

  • Unexpected HTTP requests to Oracle Identity Manager Connector endpoints originating from accounts with low base privileges.
  • Identity provisioning or entitlement changes performed by users that lack administrative roles in audit logs.
  • Unauthorized creation, modification, or deletion of database user accounts via the connector.
  • Anomalous session activity from connector service accounts targeting downstream Fusion Middleware components.

Detection Strategies

  • Audit Oracle Identity Manager Connector access logs for low-privileged accounts invoking privileged operations.
  • Correlate connector activity with downstream database account changes to identify scope-change abuse.
  • Baseline normal connector API usage patterns and alert on deviations in request volume or endpoint access.

Monitoring Recommendations

  • Forward Oracle Fusion Middleware and connector audit logs to a centralized SIEM for correlation and retention.
  • Enable verbose authentication and authorization logging on the connector and monitor for privilege escalation events.
  • Track changes to Identity Manager Connector configuration files and Database User mappings.

How to Mitigate CVE-2026-46793

Immediate Actions Required

  • Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert cspujun2026.
  • Inventory all deployments of Oracle Identity Manager Connector 12.2.1.4.0 and 14.1.2.1.0 and prioritize patching.
  • Review and reduce the population of low-privileged accounts with network access to the connector.
  • Rotate credentials for any service accounts used by the Database User component after patching.

Patch Information

Oracle addresses CVE-2026-46793 in the June 2026 Critical Patch Update. Administrators must apply the fixes documented in the Oracle Security Alert for versions 12.2.1.4.0 and 14.1.2.1.0. Validate patch application by checking connector build metadata after deployment.

Workarounds

  • Restrict network access to Identity Manager Connector HTTP endpoints to trusted management networks only.
  • Enforce least privilege on connector accounts and remove unused low-privileged identities.
  • Place a web application firewall in front of the connector and block unauthorized request patterns to privileged endpoints.
  • Monitor downstream database targets for unexpected account changes until patching is complete.
bash
# Example network restriction using iptables to limit connector access
iptables -A INPUT -p tcp --dport 14000 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 14000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.