Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. While the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).
Published: 2026-04-21
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Data Modification, Read Access, and Partial Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw is an improper access control that allows an attacker who already holds high‑privilege credentials to send specially crafted HTTP requests to the Fluid Core component of Oracle PeopleSoft Enterprise PeopleTools, bypassing normal authorization checks and performing unauthorized updates, inserts, deletions, or reads, and potentially causing a partial denial of service. The CVSS vector shows a high privilege requirement but does not represent privilege escalation; instead, it exploits an existing access level to expand the attacker’s impact within the application.

Affected Systems

This weakness affects Oracle PeopleSoft Enterprise PeopleTools, specifically the Fluid Core component in versions 8.61 and 8.62 of the product.

Risk and Exploitability

The CVSS v3.1 base score of 6.6 indicates a moderate risk to confidentiality, integrity, and availability. The vulnerability is exploitable over plain HTTP traffic with a high privilege credential requirement and expands scope to allow high‑privileged users to affect additional PeopleSoft modules. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, which leaves the exact exploitation likelihood uncertain but suggests moderation based on the network exposure and credential requirements.

Generated by OpenCVE AI on April 22, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle PeopleSoft Enterprise PeopleTools patch or upgrade to a version newer than 8.62
  • Restrict HTTP access to PeopleSoft interfaces to known, trusted IP addresses and enforce strong authentication
  • Review privileged account usage and reduce unnecessary high‑level permissions
  • If a patch cannot be applied immediately, consider temporarily blocking the Fluid Core component’s endpoints to mitigate active exploitation

Generated by OpenCVE AI on April 22, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Oracle PeopleSoft Enterprise PeopleTools Allows Unauthorized Data Modification and Partial Denial of Service
Weaknesses CWE-284

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title High Privilege Escalation via HTTP in PeopleSoft Enterprise PeopleTools 8.61-8.62
Weaknesses CWE-284

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title High Privilege Escalation via HTTP in PeopleSoft Enterprise PeopleTools 8.61-8.62
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. While the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).
First Time appeared Oracle
Oracle peoplesoft Enterprise Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Peopletools
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Oracle Peoplesoft Enterprise Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:19.195Z

Reserved: 2026-03-26T19:48:45.675Z

Link: CVE-2026-34277

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:31.860

Modified: 2026-04-21T21:16:31.860

Link: CVE-2026-34277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T08:30:12Z

Weaknesses