Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
AnalysisAI
Malicious environment variable injection in Oracle Cloud Native Environment Command Line Interface v2.3.2 allows local authenticated users with low privileges to execute arbitrary code through user interaction, compromising systems running the affected CLI tool. The vulnerability requires local access and user action but results in high-impact code execution with full confidentiality and integrity compromise.
Technical ContextAI
The Oracle Cloud Native Environment Command Line Interface (OCNE CLI) improperly handles environment variables during execution. Attackers exploit this by crafting malicious environment variables that the CLI processes without proper sanitization. The vulnerability exists in the local attack surface where an authenticated user on the same system can influence the CLI's execution environment. The root cause involves insufficient input validation of environment variables passed to the CLI, allowing arbitrary code execution within the context of the user invoking the tool. This is a classic environment-based code injection vulnerability affecting command-line interfaces that trust system environment state.
RemediationAI
Oracle has not released a publicly visible patched version at the time of analysis. Organizations using Oracle Cloud Native Environment CLI v2.3.2 should immediately contact Oracle support for patch availability or upgrade guidance at https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-products-cves.html. As an interim compensating control, restrict environment variable inheritance by using env -i or similar mechanisms when invoking the CLI to clear the environment before execution, though this may impact CLI functionality. Alternatively, enforce strict access controls limiting which users can invoke the CLI and ensure users never run the CLI in untrusted contexts where environment variables could be injected. Disable or remove the CLI from non-essential systems until a patch is confirmed available.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27550
GHSA-cgfw-mj7v-xqh6