Skip to main content

Oracle PeopleSoft CVE-2026-46849

| EUVDEUVD-2026-37342 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network HTTP exposure with low complexity, requires a low-privileged authenticated account per Oracle (PR:L), no UI, full read/write on Student Financials data, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.1
Analysis Generated
Jun 16, 2026 - 22:46 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise CS Student Financials product of Oracle PeopleSoft (component: Other). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Student Financials accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Financials accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged PeopleSoft credentials
Delivery
Reach PIA over HTTP
Exploit
Send crafted Student Financials request
Execution
Bypass authorization controls
Persist
Read or modify other students' financial records
Impact
Exfiltrate or alter critical data

Vulnerability AssessmentAI

Exploitation Requires (1) network HTTP access to a deployed PeopleSoft Enterprise CS Student Financials 9.2.38 instance, (2) any valid low-privileged authenticated session against that PeopleSoft environment (PR:L per CVSS - not pre-authentication), and (3) the Student Financials module being enabled and reachable from the authenticated user's role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N indicates a network-reachable, low-complexity attack requiring only a low-privileged account and no user interaction, yielding full read/write impact on accessible data - a realistic priority for any institution exposing PeopleSoft to authenticated users (which is the norm for student self-service portals). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains or registers a low-privileged PeopleSoft account (for example, a student self-service login, a former-employee credential, or a phished applicant account) sends crafted HTTP requests to the Student Financials module over the standard PIA web tier. With no user interaction or additional privilege escalation required, the attacker reads or modifies tuition charges, payment records, refund destinations, or financial-aid balances belonging to other students. …
Remediation Apply the Oracle Critical Patch Update for PeopleSoft published June 2026 per advisory https://www.oracle.com/security-alerts/cspujun2026.html, which is the vendor-released patch addressing this issue - the input does not enumerate an exact post-patch build string, so administrators should consult that advisory for the precise Tools and Application patch IDs aligning with their 9.2.38 baseline. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy