Skip to main content

Oracle PeopleTools CVE-2026-35271

| EUVDEUVD-2026-37402 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.7
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable HTTP with no auth or user interaction (AV:N/PR:N/UI:N), non-trivial conditions per Oracle (AC:H), scope change to other PeopleSoft data (S:C/C:H/I:H), no availability impact (A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:20 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Weblogic). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PT PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PT PeopleTools accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

AnalysisAI

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

PeopleSoft Enterprise PT PeopleTools is the application development and runtime platform that underpins Oracle PeopleSoft applications (HCM, FSCM, Campus Solutions, etc.), and it is delivered on top of Oracle WebLogic Server, which Oracle identifies as the affected component here. The CPE cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools covers all versions but Oracle's advisory text scopes the issue to 8.61 and 8.62. The 'Authentication Bypass' tag combined with PR:N in the CVSS vector suggests the WebLogic-fronted PeopleTools HTTP surface fails to properly enforce an authentication or authorization check, letting an unauthenticated HTTP request reach functionality that should be gated; no CWE was assigned by the source, so the precise weakness class (CWE-287 vs CWE-306 vs CWE-863) is inferred rather than confirmed.

RemediationAI

Apply the Oracle Critical Patch Update of June 2026 for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory, with exact post-patch build numbers to be taken from Oracle My Oracle Support since no specific fixed version string is provided in the input data. Until the CPU is deployed, restrict inbound HTTP/HTTPS reachability to the PeopleTools WebLogic listener so only trusted networks (VPN, jump hosts, corporate IP ranges) can reach the application, and place a WAF or reverse proxy in front to enforce authentication on portal entry points; note that aggressive URL filtering can break PeopleSoft integration brokers and IB-based interfaces, so test integration endpoints before tightening rules. Auditing WebLogic and PeopleTools access logs for anomalous unauthenticated HTTP requests is a reasonable interim detection measure given the authentication-bypass tag.

CVE-2026-35278 CRITICAL
9.8 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com

CVE-2026-35272 HIGH
8.4 Jun 16

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2021-2218 HIGH
8.3 Apr 22

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated

CVE-2026-35274 HIGH
8.2 Jun 16

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti

CVE-2026-35288 HIGH
8.2 Jun 16

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package

CVE-2026-35276 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se

CVE-2026-35289 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2026-35279 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo

CVE-2019-12402 HIGH
7.5 Aug 30

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w

CVE-2019-10086 HIGH
7.3 Aug 20

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a

CVE-2018-2793 MEDIUM
6.2 Apr 19

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin

CVE-2021-2408 MEDIUM
6.1 Jul 21

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur

Share

CVE-2026-35271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy