Skip to main content

Oracle CVE-2026-21994

| EUVDEUVD-2026-12665 CRITICAL
Improper Access Control (CWE-284)
2026-03-17 oracle
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 17, 2026 - 23:02 euvd
EUVD-2026-12665
Analysis Generated
Mar 17, 2026 - 23:02 vuln.today
CVE Published
Mar 17, 2026 - 22:43 nvd
CRITICAL 9.8

DescriptionCVE.org

Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. Successful attacks of this vulnerability can result in takeover of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

This is a critical unauthenticated remote code execution vulnerability in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An attacker with network access via HTTP can completely take over the affected system without any authentication, privileges, or user interaction required. The CVSS score of 9.8 reflects maximum impact across confidentiality, integrity, and availability. There is no evidence of active exploitation (not in CISA KEV), and no proof-of-concept code has been publicly identified in the available intelligence.

Technical ContextAI

The vulnerability exists in the Desktop component of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit, an open source project tool used for designing and visualizing edge cloud infrastructure. The affected product is identified via CPE as cpe:2.3:a:oracle_corporation:oracle_edge_cloud_infrastructure_designer_and_visualisation_toolkit. While the specific CWE classification is not provided, the combination of unauthenticated network access via HTTP and complete system takeover suggests potential issues such as authentication bypass, command injection, or insecure deserialization. The Desktop component suggests this may be a desktop application with web service capabilities or a web-based interface accessible over HTTP.

RemediationAI

Immediately upgrade Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit to a version newer than 0.3.0 that addresses this vulnerability, consulting Oracle's security advisory at https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html for the specific patched version. Until patching is completed, implement network-level compensating controls including restricting HTTP access to the Desktop component to only trusted IP addresses or internal networks, placing the application behind a web application firewall (WAF) with strict input validation rules, and disabling network access entirely if the tool can function in offline mode. Consider disabling the Desktop component or the entire application if it is not actively required for business operations until the patch can be applied.

Share

CVE-2026-21994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy