Introduction
An unauthenticated attacker who can reach Oracle Identity Manager Connector over HTTPS can silently read, modify, and delete critical identity data managed by the platform, all without any credentials or user interaction. CVE-2026-34287, disclosed as part of Oracle's April 2026 Critical Patch Update, carries a CVSS 3.1 base score of 9.1 and is one of a cluster of six related vulnerabilities patched simultaneously in the same component.
Oracle Identity Manager Connector is a component of Oracle Fusion Middleware that provides integration between Oracle Identity Manager (OIM) and external target systems such as directories, databases, and enterprise applications. It is widely deployed in large enterprises that rely on Oracle's identity governance stack to manage user provisioning, access requests, and compliance workflows. A compromise of this connector layer can undermine the trust model of an organization's entire identity infrastructure.
Technical Information
CVE-2026-34287 affects the Core component of Oracle Identity Manager Connector version 12.2.1.4.0 within Oracle Fusion Middleware. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, which tells us a great deal about the nature of the flaw.
CVSS Vector Breakdown
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over HTTPS |
| Attack Complexity (AC) | Low | No special conditions or race conditions required |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No victim action required |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | High | Full read access to critical data |
| Integrity (I) | High | Ability to create, modify, or delete critical data |
| Availability (A) | None | No denial of service impact |
The combination of no required privileges, no user interaction, and low attack complexity over a network vector makes this vulnerability particularly dangerous. An attacker needs only HTTPS reachability to the Connector's Core endpoints.
Root Cause Analysis
While Oracle has not disclosed granular technical details (consistent with their standard practice for CPU patches), the vulnerability profile strongly indicates a missing or broken authentication and authorization enforcement mechanism on HTTPS endpoints exposed by the Connector's Core request handling path. The fact that no privileges are required to exploit the flaw means that certain endpoints were accessible to completely unauthenticated callers, allowing both read and write operations on critical identity data.
Attack Flow
Based on the advisory details, the exploitation path follows this sequence:
- The attacker identifies a network reachable Oracle Identity Manager Connector instance (version 12.2.1.4.0) exposed over HTTPS.
- The attacker sends crafted HTTPS requests to the Connector's Core component endpoints that lack proper authentication checks.
- Without providing any credentials, the attacker gains the ability to read all data accessible to the Connector, including critical identity and provisioning information.
- The attacker can also create, modify, or delete critical data through the same unauthenticated access path.
- Because the availability impact is None, the system continues operating normally, making the attack difficult to detect through availability monitoring alone.
Related Vulnerability Cluster
This CVE is not an isolated finding. Oracle patched a cluster of six related vulnerabilities in the same CPU, all targeting the Oracle Identity Manager Connector 12.2.1.4.0 Core component over HTTPS:
| CVE Identifier | Component | Protocol | CVSS Score |
|---|---|---|---|
| CVE-2026-34285 | Core | HTTPS | 9.1 |
| CVE-2026-34286 | Core | HTTPS | 9.1 |
| CVE-2026-34287 | Core | HTTPS | 9.1 |
| CVE-2026-34288 through CVE-2026-34290 | Core | HTTPS | Patched in same CPU |
| CVE-2026-34294 | Core | HTTPS | Patched in same CPU |
The clustering of these vulnerabilities suggests Oracle performed a focused security review of this specific integration component and identified multiple distinct flaws in the same area.
Patch Information
Oracle addressed CVE-2026-34287 as part of the April 2026 Critical Patch Update (CPU), released on April 21, 2026. This CPU is a large batch update addressing 483 new security patches across Oracle's product ecosystem.
The patch specifically remediates the network accessible flaw in the Core component of Oracle Identity Manager Connector 12.2.1.4.0 that previously allowed an unauthenticated attacker to both read and modify critical data over HTTPS. Based on the advisory's risk matrix entry, the fix almost certainly involves tightening authentication or authorization enforcement in the Connector's Core request handling path, ensuring that HTTPS endpoints that previously lacked proper access controls now require valid credentials or tokens before serving or accepting data.
Because Oracle Identity Manager Connector is a closed source, proprietary product, no public commit diff or open source changeset is available. The actual binary patch is distributed exclusively through Oracle's My Oracle Support (MOS) portal and is accessible only to customers with active support contracts. Oracle deliberately withholds implementation specifics to reduce the window where attackers could reverse engineer the fix before customers have applied it.
To apply this patch: administrators should log into My Oracle Support, locate the April 2026 CPU patches for Oracle Fusion Middleware (specifically Oracle Identity Manager Connector 12.2.1.4.0), and follow Oracle's standard CPU application procedures. Given the CVSS 9.1 severity and the lack of any required user interaction or privileges for exploitation, this patch should be prioritized for immediate deployment.
For organizations that cannot patch immediately, Oracle recommends blocking network access to the Connector's HTTPS endpoints as the most effective interim control. Since the vulnerability requires no privileges to exploit, network level isolation is more effective than access control adjustments within the application. Oracle strongly recommends testing any interim changes on non production systems first, as restricting HTTPS access may break application functionality.
Affected Systems and Versions
The only confirmed affected configuration is:
- Product: Oracle Identity Manager Connector
- Parent Suite: Oracle Fusion Middleware
- Component: Core
- Affected Version: 12.2.1.4.0
- Protocol: HTTPS
Organizations running Oracle Identity Manager Connector version 12.2.1.4.0 with the Core component accessible over HTTPS are vulnerable. The advisory does not list any other versions as affected.
Vendor Security History
Oracle maintains one of the most structured security patching programs in the enterprise software industry, releasing Critical Patch Updates on a quarterly cadence. The April 2026 CPU alone contained 483 new security patches. Oracle also issues out of band Security Alerts when warranted; for example, a March 20, 2026 alert specifically addressed Oracle Identity Manager and Oracle Web Services Manager.
Oracle has publicly acknowledged that it "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," and that "in some instances, attackers have been successful because targeted customers had failed to apply available Oracle patches." This pattern underscores the importance of timely patch application, particularly for vulnerabilities with a CVSS score of 9.1 that require no authentication to exploit.
The presence of six related CVEs in the same component within a single CPU suggests that Oracle conducted a thorough internal review of the Identity Manager Connector's Core component, which is a positive indicator of proactive security investment in this area.
