Description
Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation.
Published: 2026-05-06
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker with network access via HTTP can exploit a flaw in the Oracle Macaron Tool that causes the host address validation to fail. This failure can lead to a compromise of the tool, allowing the attacker to bypass address checks and potentially manipulate the service. The vulnerability does not explicitly claim remote code execution, but the ability to defeat validation rules may enable further exploitation or unauthorized configuration changes.

Affected Systems

Oracle Macaron Tool, part of Oracle Open Source Projects, version 0.22.0.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate level of risk. The EPSS score of 0.00021 (<1%) shows a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation as yet. The attack vector is inferred to be network-based via HTTP, meaning any host exposed to the Internet or internal network could be at risk if the tool is not isolated or patched.

Generated by OpenCVE AI on May 10, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch for Oracle Macaron Tool 0.22.0 that resolves the improper authentication (CWE‑346) and host address validation (CWE‑601) flaws.
  • Limit HTTP traffic to the Macaron Tool using firewall rules or network segmentation so only trusted hosts can access it, mitigating the risk from unauthorized authentication (CWE‑346).
  • Disable or restrict any endpoints that perform host address validation bypass, ensuring validated addresses are enforced to prevent exploitation of the weak logic (CWE‑601).

Generated by OpenCVE AI on May 10, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle macaron
CPEs cpe:2.3:a:oracle:macoron:0.22.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:macaron:0.22.0:*:*:*:*:*:*:*
Vendors & Products Oracle macoron
Oracle macaron

Sun, 10 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Oracle Macaron Tool 0.22.0 Host Address Validation Vulnerability

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Oracle Macaron Tool 0.22.0 Host Address Validation Vulnerability

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle
Oracle macoron
Weaknesses CWE-601
CPEs cpe:2.3:a:oracle:macoron:0.22.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle macoron

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle Corporation
Oracle Corporation oracle Macaron Tool Of Oracle Open Source Projects
Vendors & Products Oracle Corporation
Oracle Corporation oracle Macaron Tool Of Oracle Open Source Projects

Wed, 06 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation.
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Oracle Macaron
Oracle Corporation Oracle Macaron Tool Of Oracle Open Source Projects
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-10T19:56:18.774Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35253

cve-icon Vulnrichment

Updated: 2026-05-06T18:42:11.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T08:16:03.570

Modified: 2026-05-12T19:10:53.430

Link: CVE-2026-35253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T22:00:14Z

Weaknesses