Skip to main content

Oracle PeopleSoft EUVDEUVD-2026-37342

| CVE-2026-46849 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network HTTP exposure with low complexity, requires a low-privileged authenticated account per Oracle (PR:L), no UI, full read/write on Student Financials data, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.1
Analysis Generated
Jun 16, 2026 - 22:46 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise CS Student Financials product of Oracle PeopleSoft (component: Other). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Student Financials accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Financials accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.

Technical ContextAI

PeopleSoft Enterprise CS (Campus Solutions) Student Financials is the module that handles tuition billing, financial aid disbursement, payment processing, student account receivables, and refund management in higher-education ERP deployments. The affected version is 9.2.38, served over HTTP by PeopleSoft's PIA (PeopleSoft Internet Architecture) and Application Server tier. Oracle's advisory tags this under 'Other' component without disclosing the root cause class, and no CWE is assigned in the input; however, the tag 'Authentication Bypass' in the intelligence feed combined with PR:L (not PR:N) suggests an authorization or access-control weakness where a low-privileged authenticated user can escalate to access data beyond their entitlement, rather than a pre-auth bypass.

RemediationAI

Apply the Oracle Critical Patch Update for PeopleSoft published June 2026 per advisory https://www.oracle.com/security-alerts/cspujun2026.html, which is the vendor-released patch addressing this issue - the input does not enumerate an exact post-patch build string, so administrators should consult that advisory for the precise Tools and Application patch IDs aligning with their 9.2.38 baseline. Until the CPU is applied, restrict network reachability of the PeopleSoft PIA to trusted networks (VPN or campus-only) to limit the pool of low-privileged accounts that can reach the vulnerable HTTP surface; audit Student Financials role grants to remove unnecessary access to financial transaction pages; and review web server access logs for anomalous requests against Student Financials components. These compensating controls reduce exposure but do not eliminate risk for any campus that must keep student self-service externally reachable, which is the typical deployment.

Share

EUVD-2026-37342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy