Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
Published: 2026-01-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification and Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability allows a low privileged attacker with network access via HTTP to exploit a flaw in the Push Notifications component of Oracle PeopleSoft Enterprise PeopleTools. Successful exploitation enables the attacker to perform unauthorized insert, update, or delete operations on accessible data as well as read unrestricted subsets of that data, compromising the confidentiality and integrity of the application. The flaw is classified as an improper authorization weakness, where the system fails to enforce sufficient permissions for these operations.

Affected Systems

Oracle Corporation PeopleSoft Enterprise PeopleTools versions 8.60, 8.61, and 8.62 are affected. The issue resides in the Push Notifications component that delivers messages to end users. Organizations running any of these versions with exposed HTTP endpoints are vulnerable.

Risk and Exploitability

The CVSS v3.1 base score of 5.4 indicates a moderate severity with low privilege required. The EPSS score of less than 1% suggests a low probability of exploitation in the general population. The vulnerability is not listed in the CISA KEV catalog. The attack vector appears to be network-based over HTTP, requiring only local or network-level authentication and no console or administrative privileges, illustrating that attackers could compromise the system from within the network or over the public Internet if the endpoint is reachable.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Oracle PeopleSoft Enterprise PeopleTools security patch listed in the January 2026 Oracle CPU advisory
  • Configure network or firewall rules to restrict HTTP access to the Push Notifications endpoint to trusted IP addresses only
  • Enable audit logging for all data modification operations in PeopleSoft and review logs regularly for signs of unauthorized activity
  • Consider disabling the Push Notifications feature if a patch cannot be applied promptly to eliminate the exploitation surface

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Manipulation via Push Notifications in PeopleSoft Enterprise PeopleTools
Weaknesses CWE-284

Thu, 29 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.60:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Peopletools
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:56:50.624Z

Reserved: 2026-01-05T18:07:34.710Z

Link: CVE-2026-21934

cve-icon Vulnrichment

Updated: 2026-01-21T20:56:47.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:56.033

Modified: 2026-01-29T21:11:43.027

Link: CVE-2026-21934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses