Oracle issued an out-of-band emergency security alert for CVE-2026-21992, a reported CVSS 9.8 RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager — components of Oracle Fusion Middleware. The identity infrastructure target amplifies potential impact: successful exploitation could compromise user provisioning, access governance, and role management across the enterprise. Current EPSS exploitation activity is low (0.00058, 18th percentile), but the out-of-band advisory cadence warrants treating this as critical; apply the Oracle emergency patch immediately and verify specific affected version ranges against the Oracle Security Alert Advisory before acting, as NVD data was not available at analysis time.