CVE-2026-35272 Overview
CVE-2026-35272 affects the Deployment Package component of Oracle PeopleSoft Enterprise PT PeopleTools. The flaw impacts supported versions 8.61 and 8.62. An unauthenticated attacker with logon access to the infrastructure where PeopleSoft Enterprise PT PeopleTools executes can compromise the product. Successful exploitation results in full takeover of PeopleSoft Enterprise PT PeopleTools, with high impact on confidentiality, integrity, and availability. The weakness maps to CWE-269: Improper Privilege Management. Oracle addressed the issue in the June 2026 Critical Security Patch Update advisory.
Critical Impact
An attacker with local infrastructure access can fully take over PeopleSoft Enterprise PT PeopleTools without authentication, exposing all confidentiality, integrity, and availability controls.
Affected Products
- Oracle PeopleSoft Enterprise PT PeopleTools 8.61
- Oracle PeopleSoft Enterprise PT PeopleTools 8.62
- Component: Deployment Package
Discovery Timeline
- 2026-06-17 - CVE-2026-35272 published to the National Vulnerability Database (NVD)
- 2026-06-18 - Last updated in NVD database
- June 2026 - Oracle releases the Critical Security Patch Update advisory
Technical Details for CVE-2026-35272
Vulnerability Analysis
The vulnerability resides in the Deployment Package component of PeopleSoft Enterprise PT PeopleTools. The flaw is categorized under [CWE-269: Improper Privilege Management], indicating that the affected component fails to correctly assign, manage, or enforce privileges. An attacker who can authenticate to the host infrastructure, but who holds no privileges in PeopleTools itself, can leverage the weakness to escalate control over the application. Oracle classifies the issue as easily exploitable. EPSS data published on 2026-06-18 indicates a low likelihood of near-term opportunistic exploitation, but the impact profile remains severe because successful exploitation yields complete product takeover.
Root Cause
The Deployment Package component performs operations under elevated privileges without correctly validating the privilege boundary between the requester and the operation. This mismatch lets an unauthenticated PeopleTools actor execute privileged Deployment Package actions. Oracle has not published low-level technical details beyond the advisory entry.
Attack Vector
The attack vector is local. The attacker must already possess logon access to the underlying infrastructure where PeopleSoft Enterprise PT PeopleTools runs. From that foothold, no PeopleTools authentication, no user interaction, and no elevated privileges are required. The scope remains unchanged, but the attacker gains full read, write, and availability impact within PeopleTools. Refer to the Oracle Security Alert for vendor-published technical details.
Detection Methods for CVE-2026-35272
Indicators of Compromise
- Unexpected execution of PeopleSoft Deployment Package operations by accounts that do not normally manage deployments.
- New, modified, or unscheduled deployment packages appearing on PeopleTools application servers.
- Privilege changes to PeopleTools administrative roles immediately following local logon events.
- Outbound connections or file writes originating from PeopleTools service accounts to non-standard paths.
Detection Strategies
- Audit PeopleTools application and OS-level logs for Deployment Package invocations correlated with local interactive or remote shell sessions.
- Baseline normal Deployment Package activity and alert on deviations in frequency, source account, or target host.
- Inspect file integrity on PeopleTools binaries and deployment directories for unauthorized writes.
Monitoring Recommendations
- Forward PeopleTools, database, and host OS logs to a centralized analytics platform for cross-source correlation.
- Monitor authentication events on hosts running PeopleTools 8.61 and 8.62 and flag privilege transitions tied to PeopleTools processes.
- Track changes to PeopleTools service accounts, scheduled jobs, and Deployment Package configurations.
How to Mitigate CVE-2026-35272
Immediate Actions Required
- Apply the Oracle June 2026 Critical Patch Update for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62.
- Inventory all PeopleTools instances and confirm version, patch level, and exposure of the Deployment Package component.
- Restrict local logon to PeopleTools infrastructure to a minimal set of administrators using just-in-time access.
- Rotate credentials and review session activity for any host that grants logon access to PeopleTools servers.
Patch Information
Oracle released a fix as part of the June 2026 Critical Security Patch Update. Review the Oracle Security Alert for the specific patch identifiers and installation steps for PeopleTools 8.61 and 8.62. Apply patches in a staged test, validate, and promote sequence, then verify the version through psadmin and the PeopleTools About page.
Workarounds
- Limit operating system logon rights on PeopleTools hosts to deployment operators only, and enforce multi-factor authentication on bastion access.
- Segment PeopleTools application servers from general user networks using firewall and host-based controls.
- Disable or tightly restrict the Deployment Package workflow on production hosts until the patch is applied.
# Configuration example: restrict interactive logon to PeopleTools hosts (Linux)
# /etc/security/access.conf
- : ALL EXCEPT peoplesoft_admins root : ALL
# Verify installed PeopleTools version after patching
psadmin -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
