Description
Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Immediate Patch
AI Analysis

Impact

The flaw is an improper privilege management weakness (CWE-306) that permits a user with high privileges and network access via HTTP to create, delete, or modify critical data within PeopleSoft Enterprise HCM Absence Management. Successful exploitation results in unauthorized modification of critical records and full data access, impacting both confidentiality and integrity of the system. The vulnerability’s nature is a privilege escalation via HTTP requests, allowing the attacker to bypass normal access controls.

Affected Systems

Oracle Corporation’s PeopleSoft Enterprise HCM Absence Management version 9.2 is affected. No other versions are listed as susceptible.

Risk and Exploitability

The CVSS base score of 6.5 indicates medium severity. The EPSS score of 0.00054 (<1%) indicates a very low probability of exploitation, but the vulnerability is still exploitable by a high‑privilege actor with network access via HTTP. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is over the network using HTTP and requires the attacker to possess high‑privilege credentials within the PeopleSoft environment, which can lead to significant data integrity compromise.

Generated by OpenCVE AI on April 28, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle‑provided patch or upgrade to the latest 9.2 release that includes the fix.
  • Restrict inbound HTTP traffic to the PeopleSoft instance to trusted IP addresses using firewall or ACL rules.
  • Audit high‑privilege accounts and enforce least‑privilege principles to limit potential damage.

Generated by OpenCVE AI on April 28, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title HTTP-Based Privilege Escalation in PeopleSoft HCM Absence Management

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title HTTP-Based Data Manipulation via High Privileges in PeopleSoft HCM Absence Management
Weaknesses CWE-269

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle peoplesoft Enterprise Human Capital Management Absence Management
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_absence_management:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle peoplesoft Enterprise Human Capital Management Absence Management

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title HTTP-Based Data Manipulation via High Privileges in PeopleSoft HCM Absence Management
Weaknesses CWE-269

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Hcm Absence Management
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_hcm_absence_management:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Hcm Absence Management
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Hcm Absence Management Peoplesoft Enterprise Human Capital Management Absence Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:20:57.944Z

Reserved: 2026-03-26T19:48:45.674Z

Link: CVE-2026-34266

cve-icon Vulnrichment

Updated: 2026-04-22T14:20:54.843Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:30.040

Modified: 2026-04-23T15:06:45.240

Link: CVE-2026-34266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses