Description
Vulnerability in the PeopleSoft Enterprise FIN Contracts product of Oracle PeopleSoft (component: Contracts). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Contracts. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Contracts accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Data Access
Action: Assess & Remediate
AI Analysis

Impact

A flaw in the Contracts component of Oracle PeopleSoft Enterprise FIN Contracts version 9.2 allows a low‑privileged attacker who can reach the HTTP interface to read confidential contract information. The vulnerability has a CVSS 3.1 base score of 6.5, affecting confidentiality but not integrity or availability, and is achievable with simple HTTP requests.

Affected Systems

Oracle PeopleSoft Enterprise FIN Contracts version 9.2 is the only product identified as affected in the CVE record.

Risk and Exploitability

The attack path requires network connectivity to the unprotected HTTP service and only low privileges. The low attack complexity makes exploitation straightforward, but no EPSS data are available and the vulnerability is not listed in the CISA KEV catalog. The confidentiality risk remains substantial for any organization that exposes this service to untrusted networks.

Generated by OpenCVE AI on April 22, 2026 at 04:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Consult the Oracle PeopleSoft security alert for any available updates or fixes for CVE-2026-34300.
  • Segment the Contracts component by restricting the HTTP service to trusted networks or requiring VPN access so that only authorized users can reach it.
  • Enforce role‑based access controls within PeopleSoft to limit users to the minimum contract data they need, and regularly review and audit access logs for abnormal activity.

Generated by OpenCVE AI on April 22, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access in Oracle PeopleSoft FIN Contracts via HTTP
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise FIN Contracts product of Oracle PeopleSoft (component: Contracts). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Contracts. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Contracts accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Fin Contracts
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_fin_contracts:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Fin Contracts
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Fin Contracts
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:31.143Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34300

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:35.150

Modified: 2026-04-21T21:16:35.150

Link: CVE-2026-34300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:00:09Z

Weaknesses