Description
Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
Published: 2026-01-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data manipulation and disclosure
Action: Apply Patch
AI Analysis

Impact

CVE-2026-21971 is a vulnerability in the Purchasing component of Oracle PeopleSoft Enterprise SCM Purchasing that allows an attacker with low privileges and network access to perform unauthorized create, update, delete, and read operations on data exposed through HTTP. The flaw bypasses intended access controls, resulting in confidentiality and integrity violations for data accessible through the Purchasing interface.

Affected Systems

Oracle PeopleSoft Enterprise SCM Purchasing version 9.2, including the Enterprise SCM Purchasing and Supply Chain Management Purchasing sub‑products, is affected. The vulnerability is present in the Purchasing component of these products.

Risk and Exploitability

The vulnerability can be exploited with a normal network HTTP request and requires only a local non‑privileged account. Once authenticated, the attacker can modify or read data. The CVSS 3.1 base score of 5.4 reflects moderate risk, and the EPSS score of less than 1% suggests a low likelihood of current exploitation. Because it is not listed in CISA’s KEV catalog, it appears not to be actively exploited on a large scale, yet the impact on data integrity and confidentiality warrants timely mitigation.

Generated by OpenCVE AI on April 18, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle January 2026 CPU patch that addresses the unauthorized data operation flaw in PeopleSoft Purchasing.
  • Restrict network access to the Purchasing web interface by configuring firewalls or VPNs so that only authorized staff can reach it.
  • Enforce least‑privilege for PeopleSoft accounts and review CRUD permissions to ensure that only appropriate roles can insert, update, or delete purchasing data.

Generated by OpenCVE AI on April 18, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP Vulnerability in Oracle PeopleSoft Enterprise SCM Purchasing Enabling Unauthorized Data Access
Weaknesses CWE-284
CWE-862

Thu, 29 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle peoplesoft Supply Chain Management Purchasing
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:peoplesoft_supply_chain_management_purchasing:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle peoplesoft Supply Chain Management Purchasing

Wed, 21 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Scm Purchasing
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_scm_purchasing:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Scm Purchasing
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Scm Purchasing Peoplesoft Supply Chain Management Purchasing
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T18:52:39.048Z

Reserved: 2026-01-05T18:07:34.715Z

Link: CVE-2026-21971

cve-icon Vulnrichment

Updated: 2026-01-21T18:47:24.875Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:16:00.210

Modified: 2026-01-29T14:47:26.827

Link: CVE-2026-21971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses