Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: unauthorized read, update, or delete of PeopleSoft data via low‑privileged HTTP access
Action: Apply Patch
AI Analysis

Impact

An access‑control flaw in the Corporate Workflow component of Oracle PeopleSoft Enterprise PeopleTools allows a low‑privileged attacker who can reach the application over HTTP to modify or read data that should be restricted. The vulnerability requires the attacker to gain a remote, network‑level connection, and a human who is not the attacker must interact with the system to enable the attack. Successful exploitation results in unauthorized insert, update, or delete operations, as well as unauthorized read access to a subset of data, thereby compromising the confidentiality and integrity of the affected data. The flaw is categorized as a moderate‑severity error because it does not directly give full system takeover but can undermine business processes and data trust.

Affected Systems

Oracle Corporation PeopleSoft Enterprise PeopleTools, specifically the Workflow component. Versions 8.61 through 8.62 are known to be affected.

Risk and Exploitability

The CVSS v3.1 score of 5.4 indicates moderate risk with low complexity and low privilege set. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers need network access to the PeopleSoft application over HTTP and will need a separate user to interact with the workflow to activate the flaw. Although the risk is moderate, the scope change can allow the impact to extend to other connected products, and therefore the overall risk warrants timely remediation.

Generated by OpenCVE AI on April 22, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest PeopleSoft Enterprise PeopleTools patch that resolves the workflow access‑control flaw as released by Oracle
  • Configure network firewalls to restrict direct HTTP access to the PeopleSoft application, allowing only trusted IP ranges to connect to the workflow component
  • Implement workflow monitoring and logging to detect unauthorized process initiation or data modification, and alert administrators

Generated by OpenCVE AI on April 22, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Low‑Privilege HTTP Data Modification in Oracle PeopleSoft Workflow
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Peopletools
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:22:28.558Z

Reserved: 2026-03-26T19:48:45.679Z

Link: CVE-2026-34307

cve-icon Vulnrichment

Updated: 2026-04-22T13:22:24.607Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T21:16:36.117

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-34307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:00:09Z

Weaknesses