Oracle has disclosed a critical, unauthenticated remote code execution vulnerability (CVE-2026-21992, CVSS 9.8) affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw allows attackers to gain network access via HTTP due to a lack of network-level authentication, though no active exploitation has been observed yet.