Description
Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Immediate Patch
AI Analysis

Impact

The flaw is an improper privilege management weakness (CWE-269) that permits a user with high privileges and network access via HTTP to create, delete, or modify critical data within PeopleSoft Enterprise HCM Absence Management. Successful exploitation results in unauthorized modification of critical records and full data access, impacting both confidentiality and integrity of the system. The vulnerability’s nature is a privilege escalation via HTTP requests, allowing the attacker to bypass normal access controls.

Affected Systems

Oracle Corporation’s PeopleSoft Enterprise HCM Absence Management version 9.2 is affected. No other versions are listed as susceptible.

Risk and Exploitability

The CVSS base score of 6.5 indicates medium severity, and the lack of an EPSS score makes the likelihood of exploitation uncertain. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is over the network using HTTP and requires the attacker to possess high‑privilege credentials within the PeopleSoft environment, which can lead to significant data integrity compromise.

Generated by OpenCVE AI on April 22, 2026 at 05:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle‑provided patch or upgrade to the latest 9.2 release that includes the fix.
  • Restrict inbound HTTP traffic to the PeopleSoft instance to trusted IP addresses using firewall or ACL rules.
  • Audit high‑privilege accounts and enforce least‑privilege principles to limit potential damage.

Generated by OpenCVE AI on April 22, 2026 at 05:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title HTTP-Based Data Manipulation via High Privileges in PeopleSoft HCM Absence Management
Weaknesses CWE-269

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Hcm Absence Management
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_hcm_absence_management:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Hcm Absence Management
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Hcm Absence Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:20:57.944Z

Reserved: 2026-03-26T19:48:45.674Z

Link: CVE-2026-34266

cve-icon Vulnrichment

Updated: 2026-04-22T14:20:54.843Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:30.040

Modified: 2026-04-22T15:16:14.700

Link: CVE-2026-34266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:14Z

Weaknesses