Oracle has released an out-of-band security update to address CVE-2026-21992, a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw allows attackers to execute arbitrary code on vulnerable systems without authentication.
The vulnerability represents a significant security risk due to its unauthenticated nature, enabling remote attackers to gain complete control of affected systems. Oracle's decision to issue an emergency patch outside its regular quarterly update cycle underscores the severity of this security flaw.