Unauth HTTP Compromise of Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62
CVE-2026-35273 Published on June 11, 2026

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vendor Advisory NVD

Known Exploited Vulnerability

This Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

The following remediation steps are recommended / required by June 15, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab

Vulnerability Analysis

CVE-2026-35273 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Products Associated with CVE-2026-35273

stack.watch emails you whenever new vulnerabilities are published in Oracle Peoplesoft Enterprise Peopletools or Oracle. Just hit a watch button to start following.

Oracle Peoplesoft Enterprise Peopletools
 
Oracle
 

Affected Versions

Oracle Corporation PeopleSoft Enterprise PeopleTools: