Cyber Resilience

CVE-2026-21994

Critical

Published: 17 March 2026

Published
17 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 35.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21994 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Okit. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21994 is a high-severity vulnerability affecting the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit, a product within Oracle Open Source Projects, specifically the Desktop component in version 0.3.0. Published on 2026-03-17, it stems from CWE-284 (Improper Access Control) and carries a CVSS 3.1 Base Score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical impacts on confidentiality, integrity, and availability.

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation enables full takeover of the affected Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit instance, allowing the attacker to compromise all core security properties.

For mitigation details, refer to the Oracle security advisory at https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise…

more

Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. Successful attacks of this vulnerability can result in takeover of Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation over HTTP of a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-46818Same vendor: Oracle
CVE-2026-34310Same vendor: Oracle
CVE-2026-46839Same vendor: Oracle
CVE-2026-34287Same vendor: Oracle
CVE-2026-46822Same vendor: Oracle
CVE-2025-50105Same vendor: Oracle
CVE-2026-34291Same vendor: Oracle
CVE-2026-21962Same vendor: Oracle
CVE-2026-46820Same vendor: Oracle
CVE-2026-46821Same vendor: Oracle

Affected Assets

oracle
okit
0.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper access control flaw (CWE-284) in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0 by applying vendor patches or upgrades.

prevent

Enforces approved authorizations for logical access to system resources, directly countering the vulnerability's unauthenticated takeover via improper access control.

prevent

Monitors and controls communications at external boundaries to block unauthenticated network access via HTTP to the vulnerable Desktop component.

References