Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-04-21
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Unauthorized creation, deletion, or modification of critical data by a low-privileged network attacker
Action: Patch
AI Analysis

Impact

A vulnerability in Oracle PeopleSoft Enterprise PeopleTools permits an attacker with low privileges over HTTP to create, delete, or alter data. The impact covers both confidentiality and integrity, enabling unauthorized access to critical information and manipulation of all data exposed by the application. The CVSS 3.1 base score of 8.1 reflects significant risk to the integrity and confidentiality of data within the system.

Affected Systems

The products affected are Oracle Corporation’s PeopleSoft Enterprise PeopleTools, specifically versions 8.61 and 8.62. Users running these releases are exposed to the described exploit and must review their deployment for potential exposure.

Risk and Exploitability

The vulnerability can be triggered over a standard HTTP connection by an attacker with limited permissions, implying that any host with network visibility can attempt exploitation. The CVSS score indicates a high severity, but the EPSS is not available and the issue is not listed in CISA’s KEV catalog, suggesting that widespread exploitation may not yet be observed. Nonetheless, the low attack effort and clear impact warrant timely attention.

Generated by OpenCVE AI on April 22, 2026 at 07:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or upgrade to a later PeopleSoft PeopleTools release that includes the fix
  • Restrict HTTP access to the PeopleSoft application to trusted IP ranges or a protected network segment
  • Enforce strict role‑based access controls so users only have the minimum privileges necessary
  • Regularly review audit logs for unauthorized access attempts and unexpected data changes

Generated by OpenCVE AI on April 22, 2026 at 07:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP Exploit Enables Unauthorized Data Modification in PeopleSoft Enterprise PeopleTools
Weaknesses CWE-284

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Manipulation via Low‑Privileged HTTP Attack in Oracle PeopleSoft PeopleTools
Weaknesses CWE-284

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Manipulation via Low‑Privileged HTTP Attack in Oracle PeopleSoft PeopleTools
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Peopletools
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:35.917Z

Reserved: 2026-03-26T19:48:45.680Z

Link: CVE-2026-34309

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:36.390

Modified: 2026-04-21T21:16:36.390

Link: CVE-2026-34309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses