CVE-2026-34301 - Vulnerability Details

- Low-Privilege HTTP-Based Data Leakage in Oracle PeopleSoft FIN Maintenance Management

Description

Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Published: 2026-04-21

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Work Order Management component of Oracle PeopleSoft Enterprise FIN Maintenance Management. It permits a low‑privileged attacker with network connectivity over HTTP to compromise the system and gain unauthorized access to all business data. The attack does not affect integrity or availability, but it severely impacts confidentiality by allowing full data traversal.

Affected Systems

Affected is Oracle Corporation’s PeopleSoft Enterprise FIN Maintenance Management product, version 9.2. No other versions or variants are noted.

Risk and Exploitability

The CVSS 3.1 base score of 6.5 indicates a medium severity. Although the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the vector AV:N/AC:L/PR:L indicates that a local network attacker can easily reach the vulnerable HTTP interface. No public exploit information is provided, but the low privilege requirement suggests that this flaw could be abused by insiders or compromised credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

PeopleSoft Enterprise FIN Maintenance Management

affected

Version	Status	Constraints
`9.2`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Peoplesoft Enterprise Fin Maintenance Management

95%

Version	Status	Scheme	Platform
`9.2`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Oracle PeopleSoft version 9.2 patch released in April 2026 (see Oracle CPU April 2026 advisory).
Limit HTTP access to the Work Order Management interface by firewall or VPN to trusted IP ranges.
Enforce least‑privilege role‑based access control to ensure low‑privileged accounts cannot view confidential data.

Generated by OpenCVE AI on April 22, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		Low-Privilege HTTP-Based Data Leakage in Oracle PeopleSoft FIN Maintenance Management
Weaknesses		CWE-200 CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
First Time appeared		Oracle Oracle peoplesoft Enterprise Fin Maintenance Management
CPEs		cpe:2.3:a:oracle:peoplesoft_enterprise_fin_maintenance_management:9.2:::::::*
Vendors & Products		Oracle Oracle peoplesoft Enterprise Fin Maintenance Management
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Oracle Peoplesoft Enterprise Fin Maintenance Management

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:31.556Z

Updated: 2026-04-21T20:35:31.556Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34301

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:35.283

Modified: 2026-04-21T21:16:35.283

Link: CVE-2026-34301

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T02:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object