CVE-2026-21992 is a critical unauthenticated RCE (CVSS 9.8) in Oracle Identity Manager and Oracle Web Services Manager, exploitable over HTTP with no credentials and no user interaction required, yielding full system compromise of the identity management host. Oracle issued an out-of-band emergency patch outside the standard quarterly CPU cycle, signaling assessed severity warranting immediate remediation without waiting for the next scheduled update window. Organizations should apply the emergency patch immediately, restrict OIM and WSM network exposure to trusted management subnets, and review IAM audit logs for unauthorized account creation, privilege escalation, or role assignment changes that may indicate pre-patch exploitation.