Description
Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach due to unauthorized data exposure
Action: Patch
AI Analysis

Impact

The vulnerability resides in the Work Order Management component and is a case of improper authorization (CWE‑284). It allows a low‑privileged attacker with network connectivity over HTTP to bypass normal access controls and read all business data. The flaw does not affect integrity or availability, but it severely impacts confidentiality by allowing full data traversal.

Affected Systems

Affected is Oracle Corporation’s PeopleSoft Enterprise FIN Maintenance Management product, version 9.2. No other versions or variants are noted.

Risk and Exploitability

The CVSS 3.1 base score of 6.5 indicates medium severity. The EPSS score is low, at <1%, and the flaw is not listed in the CISA KEV catalog. The attack vector AV:N/AC:L/PR:L/UI:N/S:U shows that a network attacker can reach the vulnerable HTTP interface with low privileges. No public exploit information is available.

Generated by OpenCVE AI on April 29, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle PeopleSoft version 9.2 patch released in April 2026 (see Oracle CPU April 2026 advisory).
  • Limit HTTP access to the Work Order Management interface by firewall or VPN to trusted IP ranges.
  • Enforce least‑privilege role‑based access control to ensure low‑privileged accounts cannot view confidential data.

Generated by OpenCVE AI on April 29, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title HTTP Exploit in Oracle PeopleSoft FIN Maintenance Management Allows Confidential Data Exposure

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title PeopleSoft FIN Maintenance Management HTTP Vulnerability Exposes Confidential Data
Weaknesses CWE-264
CWE-285

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title PeopleSoft FIN Maintenance Management HTTP Vulnerability Exposes Confidential Data
Weaknesses CWE-264
CWE-285

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP-Based Data Leakage in Oracle PeopleSoft FIN Maintenance Management
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP-Based Data Leakage in Oracle PeopleSoft FIN Maintenance Management
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Fin Maintenance Management
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_fin_maintenance_management:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Fin Maintenance Management
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Fin Maintenance Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:30:06.479Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34301

cve-icon Vulnrichment

Updated: 2026-04-22T13:29:49.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:35.283

Modified: 2026-04-24T14:28:09.720

Link: CVE-2026-34301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses