Introduction
Oracle's April 2026 Critical Patch Update quietly addressed a cluster of critical vulnerabilities in the Oracle Identity Manager Connector, and CVE-2026-34286 stands out with a CVSS 3.1 score of 9.1 due to its unauthenticated, network exploitable nature. For organizations running Oracle Fusion Middleware with identity management connectors, this flaw allows a remote attacker to read and manipulate all identity data accessible by the connector without ever presenting credentials.
Oracle Identity Manager Connector is a component within Oracle Fusion Middleware that bridges Oracle Identity Manager to external target systems (directories, databases, applications) for automated identity provisioning and lifecycle management. It is widely deployed in enterprise environments that rely on Oracle's identity governance stack, particularly in financial services, government, and large enterprises managing thousands of user identities. A vulnerability in this component has direct implications for the integrity of identity provisioning workflows and the confidentiality of identity data flowing between systems.
Technical Information
The vulnerability resides in the Core component of the Oracle Identity Manager Connector within the Oracle Fusion Middleware suite. Oracle describes exploitation as easily achievable for an unauthenticated attacker who has network access to the system via HTTPS. Any exposed endpoint handling HTTPS traffic for the connector can be targeted directly without the need for prior credential compromise or internal system access.
CVSS 3.1 Vector Analysis
The full CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, which breaks down as follows:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over HTTPS without local access |
| Attack Complexity | Low | No special conditions or race conditions needed |
| Privileges Required | None | No prior authentication or user credentials needed |
| User Interaction | None | Executes without any action from a legitimate user |
| Scope | Unchanged | Impact confined to the vulnerable component |
| Confidentiality Impact | High | Complete unauthorized access to critical data |
| Integrity Impact | High | Unauthorized creation, deletion, or modification of data |
| Availability Impact | None | System remains operational, making attacks stealthy |
Attack Characteristics
The combination of High Confidentiality and High Integrity impacts with no Availability impact is particularly noteworthy from a detection standpoint. An attacker can silently exfiltrate or alter identity data without triggering typical downtime or service degradation alerts. In an identity management context, this means user accounts could be created, privileges escalated, or identity records modified without obvious operational disruption.
Oracle has not published detailed technical descriptions of the root cause beyond the advisory metadata. However, the attack characteristics (unauthenticated, network accessible via HTTPS, targeting the Core component) indicate a flaw in how the connector processes or authorizes incoming HTTPS requests at a fundamental level. The fact that sibling CVEs CVE-2026-34285 and CVE-2026-34287 share identical CVSS scores, the same affected version, and the same attack profile suggests a systemic issue within the Core component's request handling or authorization logic rather than an isolated bug.
Broader Vulnerability Cluster
CVE-2026-34286 is one of at least seven CVEs patched in the Oracle Identity Manager Connector's Core component in the April 2026 CPU:
| CVE | CVSS Score | Protocol | Notes |
|---|---|---|---|
| CVE-2026-34285 | 9.1 | HTTPS | Identical attack profile to CVE-2026-34286 |
| CVE-2026-34286 | 9.1 | HTTPS | This vulnerability |
| CVE-2026-34287 | 9.1 | HTTPS | Identical attack profile to CVE-2026-34286 |
| CVE-2026-34288 | 5.9 | HTTPS | Higher attack complexity required |
| CVE-2026-34289 | 5.9 | HTTPS | Higher attack complexity required |
| CVE-2026-34290 | 7.5 | TCP | Denial of service vector |
| CVE-2026-34294 | 5.9 | LDAP | Requires low privileges |
This clustering strongly suggests Oracle undertook a broader security audit and remediation effort across the Identity Manager Connector's core, uncovering multiple related issues.
Patch Information
Oracle addressed CVE-2026-34286 in its April 2026 Critical Patch Update (CPU), released on April 21, 2026. This quarterly CPU collectively addresses 483 new security patches across a wide range of Oracle products.
The sole affected version is 12.2.1.4.0 of the Oracle Identity Manager Connector. As is standard with Oracle CPUs, the specific patch binaries are not publicly available; they are distributed through My Oracle Support (MOS). Oracle does not publish open source diffs or detailed technical descriptions of the fix beyond the advisory metadata.
Customers with active Oracle support contracts should apply the April 2026 CPU patch set for Oracle Fusion Middleware 12.2.1.4.0 to remediate this vulnerability. Given the cluster of related CVEs in the same component, applying the full CPU rather than individual patches is strongly recommended.
Prioritization guidance:
- Instances reachable via the public internet over HTTPS should be patched immediately.
- Internally accessible instances should follow as soon as possible.
- While patches are being deployed, increase monitoring of audit logs for unusual identity lifecycle events such as unexpected account creations, privilege escalations, or bulk data modifications.
- Security operations centers should watch for anomalous HTTPS traffic directed at Oracle Identity Manager Connector endpoints.
Affected Systems and Versions
The vulnerability affects a single version:
- Product: Oracle Identity Manager Connector
- Component: Core
- Product Family: Oracle Fusion Middleware
- Affected Version: 12.2.1.4.0
- Protocol: HTTPS
Other Oracle Fusion Middleware products patched in the same April 2026 CPU (and worth reviewing for co deployment) include:
- Oracle Identity Manager: versions 12.2.1.4.0, 14.1.2.0.0, 14.1.2.1.0
- Oracle Access Manager: version 14.1.2.0.0
- Oracle WebLogic Server: versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0
Vendor Security History
The April 2026 CPU addresses 483 new security patches across Oracle's product portfolio, which is consistent with the scale of Oracle's quarterly patch cycles. The presence of seven related CVEs in the Oracle Identity Manager Connector's Core component alone within a single CPU suggests this was the result of a focused security review of the connector's codebase. Oracle's advisory language ("Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible") reflects the vendor's standard urgency guidance for critical severity issues.
