Oracle issued an emergency, out-of-band security patch for a critical vulnerability designated CVE-2026-21992.
The flaw affects Oracle Identity Manager and Web Services Manager products.
The vulnerability carries a CVSS severity score of 9.8.
Unauthenticated attackers can exploit the flaw over a network to execute remote code.
The exploit requires no user interaction and potentially leads to complete system compromise.
Oracle has not confirmed if the vulnerability is being actively exploited in the wild.
The company urges customers to apply updates immediately to mitigate significant security risks.