Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Oracle — PeopleSoft Enterprise PeopleTools
- Added to KEV catalog
- 12 June 2026
- Federal remediation due date
- 15 June 2026
- Weakness classification (CWE)
- CWE-306
AI Breakdown
What it is
This critical vulnerability, CVE-2026-35273, affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. It's a flaw where important system functions lack proper security checks. An attacker can exploit this over the internet without needing a username or password, leading to a complete takeover of your PeopleSoft system.
Why it matters
This is an extremely severe issue with a CVSS score of 9.8, indicating the highest level of risk. What makes it particularly urgent is that this vulnerability is already known to be actively used in ransomware campaigns, posing an immediate threat to your operations. Failing to address it could result in a significant breach or system outage for your organization.
Recommended action
Your most immediate step is to apply all available patches or mitigations provided by Oracle for PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. It is crucial to evaluate the internet exposure of your PeopleSoft systems and ensure compliance with CISA's BOD 26-04 patching guidelines. If vendor mitigations are not available, you must discontinue the use of the affected product to prevent unauthenticated access.
AI-generated from CISA and NVD data — treat as a starting point, not a substitute for your own risk assessment.
CISA Description
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Notes
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html ; https://support.oracle.com/signin/ ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-35273
NVD Technical Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
More Oracle Vulnerabilities
Oracle WebLogic Server Unspecified Vulnerability
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
Oracle E-Business Suite Unspecified Vulnerability
Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
Is this vulnerability present in your environment?
CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.
Explore VAPT Services