One hundred thirty-eight new CVEs hit the NVD on March 20, 2026. Sixty-seven affect enterprise and web infrastructure. Oracle issued a rare out-of-band Security Alert for a CVSS 9.8 flaw in Identity Manager that mirrors an actively exploited vulnerability from October 2025. Spring patched two Actuator authentication bypasses. A supply chain flaw in the FastGPT AI agent platform lets anyone push malicious Docker images to production registries.
Critical tier
Oracle issued an out-of-band Security Alert on March 20 for CVE-2026-21992 (CVSS 9.8). The flaw is in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager. An unauthenticated attacker with HTTP access can achieve full system takeover. Affected versions are 12.2.1.4.0 and 14.1.2.1.0.
Out-of-band alerts from Oracle are rare. The company reserves them for flaws too urgent to wait for the next quarterly Critical Patch Update (April 2026). Oracle's advisory states the vulnerability "is remotely exploitable without authentication" and "may result in remote code execution." No workarounds are available. Patches require login to My Oracle Support.
Oracle used nearly identical language to describe CVE-2026-21992 and CVE-2025-61757 (CVSS 9.8). CVE-2025-61757 hit the same REST WebServices component and was actively exploited. CISA added it to the KEV catalog in November 2025. The Stack assessed that the overlap "suggests the vulnerability is likely a patch bypass."
Attackers already know the codebase. A University of Luxembourg paper (December 2025) showed a 100% success rate for generating working exploits from CVE patch diffs using LLMs.
Oracle Identity Manager is a privileged identity governance platform. Its compromise gives an attacker control over user provisioning, role assignment, and access policies for the entire enterprise. Organizations that patched CVE-2025-61757 last fall may find themselves vulnerable again through the same component.
— Artem Safonov, Threat Analyst at AnonHaven
Spring released Spring Boot 3.5.12 and 4.0.4 on March 19, fixing two Actuator authentication bypasses. CVE-2026-22733 (CVSS 8.2) hits applications that declare authenticated endpoints under the CloudFoundry Actuator path. An unauthenticated attacker can bypass auth entirely (CWE-288). CVE-2026-22731 targets Health Group additional paths with the same root cause. The affected range (Spring Security 2.7 through 4.0) covers virtually every maintained Spring Boot deployment.
Trend Micro documented real-world Actuator exploitation on March 18. Exposed /env endpoints leaked passwords, client secrets, and OAuth tokens. Attackers used those secrets to reach Microsoft 365 environments, bypassing MFA via the OAuth2 ROPC flow. The patches landed one day later. The new bypasses could open those same endpoints to unauthenticated access.
CVE-2026-33075 (CVSS 9.4) is a supply chain flaw in FastGPT ≤4.14.8.3. The fastgpt-preview-image.yml GitHub Actions workflow uses the pull_request_target trigger, which has access to repository secrets. But the workflow checks out code from the pull request author's fork. Any external contributor can submit a malicious Dockerfile. The workflow builds and pushes the resulting Docker image to FastGPT's production container registry, enabling secret exfiltration and supply chain poisoning. No patch was available at disclosure.
FastGPT builds AI agents. A compromised Docker image in its registry could inject backdoored infrastructure into production. The pull_request_target misconfiguration has been a recurring supply chain class since GitHub documented the risk in 2020. Developers use it to run CI on forks with access to secrets. They rarely understand that the checkout step fetches untrusted code from the fork author.
High tier
CVE-2026-32950 (CVSS 8.6) chains prompt injection to RCE in SQLBot. SQLBot is a data query tool built on an LLM and RAG (Retrieval Augmented Generation). A January 2026 proof-of-concept used PostgreSQL's COPY FROM PROGRAM to achieve command execution. The attacker's natural language query forced the LLM to generate DROP TABLE, CREATE TABLE, and COPY FROM PROGRAM 'id' statements.
SQLBot is the third LLM-to-SQL vulnerability in two weeks.
Spring AI had two on March 17. CVE-2026-22730 (MariaDB SQL injection) and CVE-2026-22729 (JSONPath injection) target the same user-input-to-SQL pattern with different entry points. The LLM translates natural language into SQL. The translation layer has no security boundary.
Free5GC, the Linux Foundation's open-source 5G core, received three CVSS 8.7 flaws. CVE-2026-33192, CVE-2026-33191, and CVE-2026-33064 were disclosed on the same day. Private 5G networks powered by open-source stacks run in factories, logistics hubs, and military installations. Core network vulnerabilities can compromise subscriber authentication and data routing for every connected device. Full details were not yet published in NVD.
CVE-2026-32756 (CVSS 8.8) and CVE-2026-32817 (CVSS 9.1) hit Admidio, an open-source user administration platform, versions ≤5.0.6. CVE-2026-32756 allows RCE via PHP. WeGIA, a Brazilian charity management system, picked up three more critical flaws on the same day. CVE-2026-33134 (CVSS 9.3, SQL injection in ≤3.6.5) and two reflected XSS flaws (CVE-2026-33136, CVE-2026-33135, both CVSS 9.3 in ≤3.6.6).
AI infrastructure is producing critical vulnerabilities faster than traditional web applications. FastGPT's supply chain flaw could poison AI agent Docker images at the registry level. SQLBot's prompt injection chain proves that LLM-to-SQL translation is a new injection class with no mature defense. Combined with Spring AI's two SQL/JSONPath injection flaws from March 17, four AI-related critical or high-severity vulnerabilities landed in one week.
— Artem Safonov, Threat Analyst at AnonHaven
Response summary
| Vulnerability | Vendor response | Reader action |
|---|---|---|
| CVE-2026-21992 (Oracle Identity Manager) | Out-of-band Security Alert | Patch immediately via My Oracle Support |
| CVE-2026-22733, CVE-2026-22731 (Spring Boot Actuator) | Patched in 3.5.12, 4.0.4 | Update Spring Boot |
| CVE-2026-33075 (FastGPT) | No patch at disclosure | Audit GitHub Actions for pull_request_target |
| CVE-2026-32950 (SQLBot) | No patch | Enforce parameterized queries at DB driver level |
| CVE-2026-33192/33191/33064 (Free5GC) | No patch information | Monitor for updates, restrict core network access |
| CVE-2026-32756/32817 (Admidio) | No patch information | Restrict access, monitor for update |
Patch Oracle Identity Manager first. The similarity to an actively exploited predecessor makes it the highest-risk item in this batch. Update Spring Boot to 3.5.12 or 4.0.4. Audit GitHub Actions workflows in AI projects for pull_request_target misconfigurations. Treat LLM-to-SQL translation layers as untrusted input and enforce parameterized queries at the database driver level, not the LLM output level.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
