Tenable finds RCE flaw in Oracle Cloud Code Editor

Tenable Research has discovered a remote code execution (RCE) vulnerability in Oracle Cloud Infrastructure’s (OCI) Code Editor that could have allowed attackers to hijack cloud environments without user interaction beyond a single click.

The Code Editor, part of Oracle’s Cloud Shell suite, is widely used by developers to manage cloud workloads and automation. The vulnerability identified by Tenable exposed a fundamental flaw in the file upload mechanism, where uploaded files were not sufficiently validated to confirm they originated from legitimate sources.

This oversight opened the door for malicious websites to exploit users who were already logged into their Oracle Cloud accounts.

“With just one click, a victim could unwittingly upload malicious code to their Cloud Shell environment,” Tenable wrote in its blog post. “The next time the user opened the Cloud Shell, the malicious payload would execute automatically.”

Once compromised, attackers could execute arbitrary commands, extract sensitive credentials, or pivot to other OCI services such as Resource Manager, Functions, and Data Science. This type of lateral movement significantly increases the risk of system-wide compromise or persistent backdoors, especially in environments with high-level privileges.

The discovery underscores what Tenable describes as the “Jenga® Concept” of cloud architecture—where multiple integrated services can collapse if one underlying component is flawed.

“Similar to the game of Jenga®, extracting one block can compromise the integrity of the whole structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches. Our OCI research underscores the critical importance of scrutinising these interconnected systems.”

Oracle has already patched the vulnerability. No further user action is required, the company confirmed.

The vulnerability highlights the importance of layered cloud security and diligent supply chain analysis. In multi-service environments such as OCI, a flaw in a seemingly isolated tool like a code editor can ripple through broader cloud operations, from automation pipelines to machine learning deployments.

Security researchers and cloud administrators alike emphasize that cloud service providers must not only react to vulnerabilities but design architectures with zero-trust principles and service isolation in mind from the outset.

Tenable’s full technical breakdown and proof-of-concept are available via its blog at tenable.com.