Description
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
Published: 2026-05-06
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability in Oracle Cloud Native Environment Command Line Interface v2.3.2 allows an unauthenticated attacker to set a malicious environment variable that results in arbitrary code execution. The flaw is due to the CLI failing to validate or sanitize input from environment variables before executing commands, giving an attacker full control over the system that runs the binary.

Affected Systems

Oracle Corporation distributes the oracle-cloud-native environment command line interface. The only affected release is version 2.3.2; no other vendors or product lines are listed as impacted.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, and the vulnerability is not listed in CISA KEV. Though the EPSS score is not available, the nature of the flaw permits exploitation by any user able to invoke the CLI with a crafted environment, potentially from local or remote contexts. An attacker could execute commands, exfiltrate data, or maintain persistence once the CLI is run.

Generated by OpenCVE AI on May 6, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Cloud Native Environment Command Line Interface to a version that includes the fix for v2.3.2
  • If an upgrade cannot be performed immediately, start the CLI only after explicitly clearing or validating the relevant environment variables used by the program
  • Restrict execution of the CLI to users with verified trust and monitor for unexpected command usage

Generated by OpenCVE AI on May 6, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Arbitrary Code Execution via Malicious Environment Variable in Oracle Cloud Native Environment Command Line Interface
Weaknesses CWE-20
CWE-78

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-06T08:05:59.070Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35255

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:19.827

Modified: 2026-05-06T10:16:19.827

Link: CVE-2026-35255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:26Z

Weaknesses