CVE-2026-21994

Critical

Published: 17 March 2026

Published

17 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 31.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise…

Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. Successful attacks of this vulnerability can result in takeover of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the improper access control flaw (CWE-284) in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0 by applying vendor patches or upgrades.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, directly countering the vulnerability's unauthenticated takeover via improper access control.

SC-7 Boundary Protection good match

prevent

Monitors and controls communications at external boundaries to block unauthenticated network access via HTTP to the vulnerable Desktop component.

Security SummaryAI

CVE-2026-21994 is a high-severity vulnerability affecting the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit, a product within Oracle Open Source Projects, specifically the Desktop component in version 0.3.0. Published on 2026-03-17, it stems from CWE-284 (Improper Access Control) and carries a CVSS 3.1 Base Score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical impacts on confidentiality, integrity, and availability.

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation enables full takeover of the affected Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit instance, allowing the attacker to compromise all core security properties.

For mitigation details, refer to the Oracle security advisory at https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html.

Details

CWE(s): CWE-284

Affected Products

oracle

okit

0.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation over HTTP of a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html
Vendor Advisory · secalert_us@oracle.com