Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Network HTTPS access required with high-privilege credentials; complete data confidentiality and integrity impact per Oracle; no availability impact stated.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Integration and Interfaces). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Campus Community accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Campus Community accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Unauthorized data access and manipulation in Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 allows a high-privileged attacker to read, create, modify, or delete all data within the Campus Community system via HTTPS. The flaw resides in the Integration and Interfaces component, where insufficient authorization controls permit elevated but unintended operations beyond a user's legitimate role scope. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the complete Confidentiality and Integrity impact on student and institutional data makes patching a priority for higher education organizations.
Technical ContextAI
PeopleSoft Enterprise CS Campus Community is Oracle's student information system platform used by higher education institutions to manage student records, enrollment, financial aid, and campus services. The affected component - Integration and Interfaces - handles data exchange between PeopleSoft modules and external systems, typically via HTTPS-exposed web services, REST, or SOAP APIs. The 'Authentication Bypass' tag in the intelligence metadata suggests the flaw may allow an authenticated high-privileged user to bypass authorization checks within integration workflows, accessing or modifying data outside their intended permission boundary. No CWE is assigned by NVD or Oracle, leaving the precise root cause class (e.g., improper authorization, broken access control) unconfirmed. The CPE identifier cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_cs_campus_community:*:*:*:*:*:*:*:* confirms this as Oracle's own product, with version 9.2.38 specifically enumerated in EUVD-2026-37288.
RemediationAI
Apply the patch provided in Oracle's Critical Patch Update for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html. The exact patched version number is not independently confirmed beyond the advisory reference - organizations should consult Oracle's patch availability matrix for PeopleSoft Enterprise CS Campus Community 9.2.38 to identify the specific fix package. As compensating controls while patching is underway, restrict network access to the Integration and Interfaces component to only known trusted IP ranges or internal networks using firewall or PeopleSoft network access controls, reducing the pool of hosts that can reach the vulnerable HTTPS endpoints. Audit and reduce the number of high-privileged accounts (PR:H users) with access to Campus Community integration features to the minimum required, limiting the blast radius of compromised credentials. Disable or restrict unused integration endpoints within the component where operationally feasible, noting that disabling active integrations may impact data exchange workflows with external systems.
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where
Vulnerability in the PeopleSoft Enterprise CS Campus Community component of Oracle PeopleSoft Products (subcomponent: Fr
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Integration and
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Notification Fra
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Self-Service). R
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37288