Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), meaning that critical functions of the Updates Environment Management component are accessible without any authentication. An attacker with network access to the system can send HTTP requests without providing credentials and gain full access to sensitive operations. The flaw is easy to exploit — it does not require special privileges or user interaction.
A successful attack leads to complete takeover of the PeopleSoft Enterprise PeopleTools system, including violation of confidentiality, integrity, and availability of data (C:H/I:H/A:H). An attacker can read, modify, or delete data, as well as cause system unavailability (DoS).
Patches released by Oracle must be applied immediately in accordance with the security alert available at https://www.oracle.com/security-alerts/alert-cve-2026-35273.html. Due to active exploitation of the vulnerability in the wild, the update should be deployed with priority. Until the patch is installed, it is recommended to restrict network access to the Updates Environment Management component exclusively to trusted IP addresses.
Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Peoplesoft Enterprise Peopletools
APPOracle8.618.62
CISA KEV — detailsi
- Vendori
- Oracle ↗
- Producti
- PeopleSoft Enterprise PeopleTools
- Added to KEVi
- June 12, 2026
- Remediation deadline (US Federal)i
- June 15, 2026(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Related vulnerabilities
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)...
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Enviro...
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()....
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes d...
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user fro...