Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-01-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and read in PeopleSoft Enterprise PeopleTools
Action: Apply patch
AI Analysis

Impact

A flaw in the PeopleSoft Enterprise PeopleTools Portal component permits an unauthenticated attacker with network access via HTTP to influence data operations within the application. The vulnerability requires that a user other than the attacker interacts with the system, typically by clicking a link or performing an action that the attacker originated. Once activated, the attacker gains the ability to insert, update, or delete records and unauthorized read access to a subset of the system’s data, thereby impacting data integrity and confidentiality.

Affected Systems

Oracle Corporation’s PeopleSoft Enterprise PeopleTools versions 8.60, 8.61 and 8.62 are affected. The issue resides in the Portal component of these product releases.

Risk and Exploitability

The CVSS v3.1 base score of 6.1 indicates a medium severity vulnerability that compromises confidentiality and integrity. The EPSS score is less than 1%, suggesting current exploitation activity is rare, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is a simple HTTP request that requires no authentication and only a single human interaction, making the condition only moderately hard to meet. While the risk is not high, the potential for data loss or unauthorized disclosure warrants prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s latest PeopleSoft Enterprise PeopleTools patches once available.
  • Restrict HTTP access to the Portal component to trusted IP ranges or enforce VPN usage to limit exposure to the public network.
  • Review and tighten role‑based access controls to ensure only authorized users can perform write operations or read sensitive data.
  • Enable detailed audit logging for data modification activities and monitor logs for suspicious actions.

Generated by OpenCVE AI on April 18, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Portal Access Allows Data Modification and Read in PeopleSoft PeopleTools
Weaknesses CWE-284

Thu, 29 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.60:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Peopletools
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:59:06.372Z

Reserved: 2026-01-05T18:07:34.711Z

Link: CVE-2026-21938

cve-icon Vulnrichment

Updated: 2026-01-21T20:59:02.448Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:56.533

Modified: 2026-01-29T21:11:06.717

Link: CVE-2026-21938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses