Skip to main content

Oracle PeopleTools EUVDEUVD-2026-37408

| CVE-2026-35279 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Performance Monitor is reachable over HTTP without auth (AV:N/PR:N/UI:N); Oracle's 'difficult to exploit' wording supports AC:H; 'takeover' outcome justifies C:H/I:H/A:H with no scope change.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:23 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

PeopleTools is the underlying middleware/runtime that hosts PeopleSoft Enterprise applications (HCM, FSCM, CRM, Campus Solutions). The affected Performance Monitor (PPM) component instruments PeopleSoft system performance by collecting metrics from monitored systems and the PIA web tier over HTTP; it exposes web-accessible servlets/endpoints that can be reached on the PeopleSoft Internet Architecture (PIA) without prior authentication in many deployments. The CPE cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools confirms the affected product line. No CWE is assigned in NVD data, but the 'takeover' impact combined with the Performance Monitor attack surface is consistent with weaknesses in request handling or deserialization within that component - Oracle does not publish root-cause details in CPU advisories.

RemediationAI

Apply the patches delivered in Oracle's June 2026 Critical Patch Update for PeopleSoft (https://www.oracle.com/security-alerts/cspujun2026.html) to PeopleTools 8.61 and 8.62 - Oracle's CPU is the authoritative source for exact PRP/patch IDs, which must be obtained from My Oracle Support. As compensating controls until patching, restrict network access to the Performance Monitor servlets on the PIA web tier (typically reached via /psp or /psc URLs under the PPMI/Performance Monitor path) using the load balancer or web server, place PeopleSoft behind a VPN or zero-trust reverse proxy so HTTP is not internet-reachable, and consider disabling the Performance Monitor agent collection in non-essential environments - the trade-off is loss of PPM-based performance telemetry until the patch is applied. Do not rely on WAF signatures alone given the lack of public technical details.

CVE-2026-35278 CRITICAL
9.8 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com

CVE-2026-35271 HIGH
8.7 Jun 16

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen

CVE-2026-35272 HIGH
8.4 Jun 16

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2021-2218 HIGH
8.3 Apr 22

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated

CVE-2026-35274 HIGH
8.2 Jun 16

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti

CVE-2026-35288 HIGH
8.2 Jun 16

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package

CVE-2026-35276 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se

CVE-2026-35289 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2019-12402 HIGH
7.5 Aug 30

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w

CVE-2019-10086 HIGH
7.3 Aug 20

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a

CVE-2018-2793 MEDIUM
6.2 Apr 19

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin

CVE-2021-2408 MEDIUM
6.1 Jul 21

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur

Share

EUVD-2026-37408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy