Skip to main content

Oracle Cloud Native Environment CLI CVE-2026-35255

| EUVDEUVD-2026-27550 MEDIUM
Code Injection (CWE-94)
2026-05-06 oracle GHSA-cgfw-mj7v-xqh6
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 10:00 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.

AnalysisAI

Malicious environment variable injection in Oracle Cloud Native Environment Command Line Interface v2.3.2 allows local authenticated users with low privileges to execute arbitrary code through user interaction, compromising systems running the affected CLI tool. The vulnerability requires local access and user action but results in high-impact code execution with full confidentiality and integrity compromise.

Technical ContextAI

The Oracle Cloud Native Environment Command Line Interface (OCNE CLI) improperly handles environment variables during execution. Attackers exploit this by crafting malicious environment variables that the CLI processes without proper sanitization. The vulnerability exists in the local attack surface where an authenticated user on the same system can influence the CLI's execution environment. The root cause involves insufficient input validation of environment variables passed to the CLI, allowing arbitrary code execution within the context of the user invoking the tool. This is a classic environment-based code injection vulnerability affecting command-line interfaces that trust system environment state.

RemediationAI

Oracle has not released a publicly visible patched version at the time of analysis. Organizations using Oracle Cloud Native Environment CLI v2.3.2 should immediately contact Oracle support for patch availability or upgrade guidance at https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-products-cves.html. As an interim compensating control, restrict environment variable inheritance by using env -i or similar mechanisms when invoking the CLI to clear the environment before execution, though this may impact CLI functionality. Alternatively, enforce strict access controls limiting which users can invoke the CLI and ensure users never run the CLI in untrusted contexts where environment variables could be injected. Disable or remove the CLI from non-essential systems until a patch is confirmed available.

Share

CVE-2026-35255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy