Description
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the PeopleSoft Enterprise PT PeopleTools Application Server allows an unauthenticated attacker with network access via HTTP to compromise the system. This missing‑authentication flaw, identified as CWE‑306, enables the attacker to bypass authentication controls. Successful exploitation can lead to a full takeover, resulting in complete loss of confidentiality, integrity, and availability for the affected system.

Affected Systems

Oracle PeopleSoft’s PeopleTools product, versions 8.61 and 8.62, is affected. The issue resides in the application server component of the product.

Risk and Exploitability

The vulnerability carries a CVSS 3.1 base score of 8.1, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, requiring HTTP connectivity to the vulnerable application server.

Generated by OpenCVE AI on June 18, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s security patch or upgrade to a version of PeopleSoft Enterprise PT PeopleTools that is not affected.
  • Restrict HTTP access to the application server to trusted IP addresses or networks to limit exposure to unauthenticated attackers.
  • Enforce strict authentication requirements and network segmentation so only authorized users can reach the application server.

Generated by OpenCVE AI on June 18, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title PeopleSoft Application Server Vulnerability Allowing Unauthenticated Remote Compromise

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Compromise in Oracle PeopleSoft PeopleTools
Weaknesses CWE-284
CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Compromise in Oracle PeopleSoft PeopleTools
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle peoplesoft Enterprise Pt Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.61:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.62:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Pt Peopletools
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Peoplesoft Enterprise Pt Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:38.130Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35276

cve-icon Vulnrichment

Updated: 2026-06-17T13:56:07.892Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function