News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. CVE-2026-21992 Oracle Security Alert Advisory

CVE-2026-21992 Oracle Security Alert Advisory

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

9:00am, 26 March 2026

TLP Rating: Clear

CVE-2026-21992 Oracle Security Alert Advisory

A critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.

The NCSC encourages organisations in New Zealand that use affected versions of the product to review the vendor advisory and apply the remediation as soon as possible.

What's happening

Systems affected

This vulnerability affects the following products:

  • Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0
  • Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

What to do

Prevention

To prevent exploitation, update affected products to a patched version. 

More information

Read more about this alert on the vendor website: 

Oracle Security Alert Advisory - CVE-2026-21992 External Link

If you require more information or further support, submit a report on our website:
Report an incident

If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.