Executive Summary
A critical unauthenticated remote code execution vulnerability (CVE-2026-21994, CVSS 9.8) has been disclosed in the Desktop component of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. The flaw allows an unauthenticated remote attacker with network access via HTTP to fully compromise the affected system — achieving complete control over confidentiality, integrity, and availability.
CVSS Score: 9.8 (Critical)
Published to the NVD on March 17, 2026, this vulnerability (CWE-284 — Improper Access Control) carries a maximum-severity CVSS vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that exploitation requires no privileges, no user interaction, and is network-accessible with low attack complexity. Any organization running version 0.3.0 of the Oracle Edge Cloud Infrastructure Designer should treat this as a priority remediation item.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-21994 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-284: Improper Access Control |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Vulnerable Component | Desktop component |
| Affected Version | 0.3.0 |
| Published | 2026-03-17 |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| Oracle | Edge Cloud Infrastructure Designer and Visualisation Toolkit (Desktop) | 0.3.0 | Monitor Oracle Security Alerts |
Vulnerability Details
Improper Access Control in the Desktop Component
CVE-2026-21994 is rooted in an improper access control (CWE-284) flaw in the Desktop component of Oracle's Edge Cloud Infrastructure Designer and Visualisation Toolkit. The vulnerability allows an unauthenticated attacker to reach functionality that should require authentication, resulting in the ability to fully compromise the underlying system.
The Oracle Edge Cloud Infrastructure Designer is a toolkit for designing, visualising, and managing edge cloud infrastructure deployments. It is used by organizations to architect distributed edge computing environments — making a compromise of this tool particularly damaging, as an attacker could gain visibility into and control over sensitive infrastructure design data and configuration.
Attack flow:
1. Attacker identifies a network-accessible Oracle Edge Cloud
Infrastructure Designer instance running version 0.3.0
2. Attacker sends a crafted HTTP request targeting the vulnerable
Desktop component endpoint
3. The component fails to enforce authentication or authorization checks
4. Attacker achieves unauthenticated code execution on the server
5. Full system compromise — confidentiality, integrity, and availability
are all rated HIGH in the CVSS vectorWhy CVSS 9.8 Is Accurate
The CVSS 9.8 score is justified by the combination of:
- No authentication required — any attacker who can reach the service over HTTP can exploit it
- No user interaction required — exploitation is fully automated and requires no victim action
- Low attack complexity — no special conditions, race conditions, or non-default configurations are required
- Full CIA impact — successful exploitation yields complete control over confidentiality, integrity, and availability
Oracle describes this as "Easily exploitable" in its advisory language, further confirming the low barrier to exploitation.
Deployment Context and Risk
Oracle Edge Cloud Infrastructure Designer is used by organizations deploying edge computing and distributed cloud infrastructure — environments where security architects, cloud engineers, and operations teams design multi-site deployments, network topologies, and edge node configurations.
| Deployment Context | Risk Level | Notes |
|---|---|---|
| Internet-exposed instance | Critical | Direct unauthenticated exploitation from anywhere on the internet |
| Internal network deployment | High | Any attacker with internal access can exploit without credentials |
| Cloud design/architecture workstation | High | May contain sensitive infrastructure topology and credential data |
| CI/CD or automation pipeline integration | High | Exploitation could poison infrastructure-as-code pipelines |
Organizations using this toolkit to design production edge infrastructure should assume that a compromised instance may expose sensitive network topology, node configurations, and potentially credentials used during design workflows.
Recommended Mitigations
No patch has been announced as of March 18, 2026. Oracle has published this CVE through its external CVE list rather than through the standard Critical Patch Update (CPU) cycle. Apply the following compensating controls immediately.
1. Restrict Network Access
# Block all inbound HTTP access to the Designer toolkit from untrusted networks
# Allow only from authorized management workstations or subnets
# Example: iptables (adjust interface and port as appropriate)
iptables -I INPUT -p tcp --dport 80 -s <AUTHORIZED_MGMT_SUBNET> -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 8080 -s <AUTHORIZED_MGMT_SUBNET> -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j DROP2. Isolate on a Management-Only Network
- Move the Oracle Edge Cloud Infrastructure Designer instance to an isolated management VLAN not reachable from general corporate networks or the internet
- Require access through a jump host or privileged access workstation (PAW)
- Disable direct internet exposure if currently present
3. Monitor for Exploitation Indicators
| Indicator | Description |
|---|---|
| Unauthenticated HTTP requests to Designer endpoints | Reconnaissance or exploitation attempt |
| Unexpected processes spawned by the Designer service | Post-exploitation code execution |
| New user accounts created or credentials changed | Attacker persistence |
| Unusual outbound network connections from the host | Data exfiltration or C2 communication |
| Changes to infrastructure design files or configurations | Attacker modification of edge deployment plans |
4. Apply Defense-in-Depth Controls
- Enable application-layer logging on any reverse proxy in front of the Designer
- Deploy a web application firewall (WAF) with rules to detect anomalous unauthenticated requests
- Ensure host-based endpoint detection and response (EDR) is active on the system running the toolkit
5. Monitor Oracle Security Alerts
- Subscribe to Oracle Security Alerts at
oracle.com/security-alerts/to receive notification when a patch is released - This CVE was published outside the standard Oracle CPU cycle — check both the external CVE list and the quarterly CPU page
Post-Remediation Checklist
- Verify network isolation — confirm the Designer instance is not reachable from untrusted networks
- Audit recent access logs — look for any unauthenticated or unexpected access prior to isolation
- Review infrastructure design files — check for unauthorized modifications to edge deployment configurations
- Rotate any credentials stored or referenced in the toolkit — if the instance was accessible, assume credential exposure
- Apply Oracle patch immediately upon release — monitor Oracle Security Alerts
- Assess downstream impact — review any edge infrastructure deployments that may have been designed or modified using the potentially compromised toolkit