CVE-2026-21994

CRITICAL

Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 0.3.0 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21994. PoCs published by TEXploited, g0w6y.

AI-analyzed exploit summary The repository lacks actual exploit code and instead directs users to download the exploit from an external URL (tinyurl.com). The README provides minimal technical details and focuses on marketing language.

Description

Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. Successful attacks of this vulnerability can result in takeover of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

nomisec SUSPICIOUS 1 stars

by TEXploited · poc

https://github.com/TEXploited/CVE-2026-21994

View Code ZIP pw:eip

The repository lacks actual exploit code and instead directs users to download the exploit from an external URL (tinyurl.com). The README provides minimal technical details and focuses on marketing language.

Classification

Suspicious 95%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 0.3.0

No auth needed

Prerequisites: network access via HTTP

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 18, 2026 Full analysis →

nomisec WRITEUP

by g0w6y · poc

https://github.com/g0w6y/CVE-2026-21994

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2026-21994, which involves a hardcoded Flask SECRET_KEY and disabled SSH host verification in Oracle OKIT (oci-designer-toolkit) version 0.3.0. The writeup includes code snippets, vulnerability details, and a proof-of-concept script description.

Classification

Writeup 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Oracle OKIT (oci-designer-toolkit) version 0.3.0

No auth needed

Prerequisites: Access to the target system · Ability to forge session cookies

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 22, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

Oracle Advisory

https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html

Vendor Advisory vendor-advisory

Oracle Advisory

https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html

Scores

CVSS v3 9.8

EPSS 0.0013

EPSS Percentile 32.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-284

Status published

Products (2)

oracle/okit 0.3.0

Oracle Corporation/Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 0.3.0

Published Mar 17, 2026

Tracked Since Mar 18, 2026