Skip to main content

Oracle OCI CLI CVE-2026-35254

| EUVDEUVD-2026-27534 MEDIUM
Path Traversal (CWE-22)
2026-05-06 oracle GHSA-x8v7-mg93-8rrg
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 07:46 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory.

AnalysisAI

Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.

Technical ContextAI

Oracle OCI CLI is a command-line interface tool for managing Oracle Cloud Infrastructure resources. The vulnerability resides in the file import functionality, where insufficient path validation permits directory traversal attacks. When a user imports a file (likely through a specific CLI command or configuration loading mechanism), an attacker can craft a malicious import source that bypasses directory restrictions and places files outside the designated import directory. This is a classic path traversal vulnerability (CWE category, though not explicitly numbered in available data) affecting file handling logic. The attack vector is local (AV:L) rather than network-based, suggesting the vulnerability requires either direct filesystem access or interaction with a local user who initiates the import action.

RemediationAI

Upgrade Oracle OCI CLI to a patched version released after 3.77. Consult Oracle's official security advisory at https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html for the specific patched version number and upgrade instructions. As an interim compensating control, restrict the use of the OCI CLI import functionality to trusted users and audit all file import operations through logging or file integrity monitoring. Disable or restrict access to the import feature if it is not essential for your operations. Additionally, monitor the import directory and parent directories for unexpected file creation or modification, particularly files with unexpected ownership or permissions. Educate users not to import files from untrusted sources and to verify the integrity and origin of any imported configuration files before use.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-35254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy