Description
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
Published: 2026-05-06
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability in Oracle Cloud Native Environment Command Line Interface v2.3.2 permits an unauthenticated attacker to inject a malicious environment variable that, when the CLI processes it, results in arbitrary code execution. The flaw arises from the program’s failure to validate or sanitize environment input before executing commands, a classic example of CWE‑94 (Code Injection).

Affected Systems

Oracle Corporation provides the oracle-cloud-native environment command line interface. Only the v2.3.2 release is affected; no other versions or product lines are listed as impacted.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, and the EPSS score of < 1% shows a low likelihood of exploitation based on current data. The vulnerability is not listed in the CISA KEV catalog. Based on the description it is inferred that the attack requires the attacker to supply a crafted environment variable to the CLI, so the most likely attack vector is a local or process‑level context rather than remote network exposure. Successful exploitation would allow execution of arbitrary code with the privileges of the user running the CLI.

Generated by OpenCVE AI on May 6, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Cloud Native Environment Command Line Interface to a patched version that addresses the environment variable validation issue.
  • When an upgrade cannot be performed immediately, clear or explicitly validate any environment variables used by the CLI before execution.
  • Restrict execution of the CLI to trusted users and monitor for unexpected command activity.

Generated by OpenCVE AI on May 6, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle
Oracle cloud Native Environment Command Line Interface
CPEs cpe:2.3:a:oracle:cloud_native_environment_command_line_interface:2.3.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle cloud Native Environment Command Line Interface

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Arbitrary Code Execution via Malicious Environment Variable in Oracle Cloud Native Environment Command Line Interface
Weaknesses CWE-20
CWE-78

Wed, 06 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Arbitrary Code Execution via Malicious Environment Variable in Oracle Cloud Native Environment Command Line Interface
Weaknesses CWE-20
CWE-78

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Cloud Native Environment Command Line Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-06T13:01:24.072Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35255

cve-icon Vulnrichment

Updated: 2026-05-06T13:01:20.018Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:19.827

Modified: 2026-05-06T20:30:40.060

Link: CVE-2026-35255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:56Z

Weaknesses