CVE-2026-35276 Overview
CVE-2026-35276 affects the Application Server component of Oracle PeopleSoft Enterprise PT PeopleTools. The flaw lets an unauthenticated attacker with network access via HTTP compromise the product. Supported versions 8.61 and 8.62 are affected. The vulnerability is mapped to [CWE-306] Missing Authentication for a Critical Function. Successful exploitation results in full takeover of PeopleSoft Enterprise PT PeopleTools, with high impact to confidentiality, integrity, and availability. Oracle addressed the issue in its June 2026 Critical Security Patch Update.
Critical Impact
Unauthenticated network-based exploitation can result in complete takeover of the PeopleSoft Enterprise PT PeopleTools deployment, exposing business-critical HR, finance, and student data.
Affected Products
- Oracle PeopleSoft Enterprise PT PeopleTools 8.61
- Oracle PeopleSoft Enterprise PT PeopleTools 8.62
- Component: Application Server
Discovery Timeline
- 2026-06-17 - CVE-2026-35276 published to the National Vulnerability Database
- 2026-06-18 - Last updated in NVD database
- June 2026 - Oracle releases fix as part of the Oracle Security Alert June 2026
Technical Details for CVE-2026-35276
Vulnerability Analysis
The vulnerability resides in the Application Server component of PeopleSoft Enterprise PT PeopleTools. PeopleTools is the development and runtime platform that hosts PeopleSoft application logic, Tuxedo-based application server domains, and integration broker services. The Application Server brokers requests between web clients and the database tier, making it a high-value target.
Oracle classifies the issue as difficult to exploit but reachable from the network without authentication or user interaction. The flaw maps to [CWE-306] Missing Authentication for a Critical Function, indicating that a sensitive operation in the HTTP request path can be reached without verifying caller identity. A successful attack results in scope-unchanged but high impact across confidentiality, integrity, and availability — consistent with full service takeover.
The EPSS score is 0.415%, reflecting low observed exploitation activity at publication time. No public proof-of-concept code or CISA KEV listing exists.
Root Cause
The root cause is missing authentication on a critical function exposed by the Application Server over HTTP. An exposed handler accepts attacker-controlled input and performs a privileged operation without validating that the caller is authenticated and authorized. Oracle has not published source-level detail. Refer to the Oracle Security Alert June 2026 for advisory specifics.
Attack Vector
An attacker reaches the vulnerable endpoint over HTTP across the network. No credentials are required and no user interaction is needed. The high attack complexity reflects conditions outside the attacker's control, such as configuration state or timing, that must be met for exploitation to succeed. Once those preconditions are satisfied, the attacker can compromise the PeopleTools instance, read or modify business data, and disrupt availability.
No verified exploit code is publicly available. Technical details are intentionally omitted by Oracle to slow weaponization.
Detection Methods for CVE-2026-35276
Indicators of Compromise
- Unexpected HTTP requests to PeopleSoft Application Server endpoints originating from untrusted networks or anonymizing infrastructure.
- Application Server log entries showing privileged operations without a preceding authenticated session.
- New or modified PeopleTools objects, scheduled processes, or integration broker nodes created outside of change windows.
- Outbound connections from PeopleSoft servers to attacker-controlled hosts following anomalous HTTP traffic.
Detection Strategies
- Inspect PeopleSoft web server and Application Server (Tuxedo) logs for requests that invoke administrative or integration endpoints without valid session tokens.
- Baseline normal traffic to /psp/, /psc/, and integration broker URIs, then alert on deviations in source IP, user agent, or request rate.
- Correlate HTTP access logs with database audit logs to identify privileged actions that lack a corresponding authenticated front-end session.
Monitoring Recommendations
- Forward PeopleSoft web, Application Server, and database audit logs to a centralized SIEM for correlation with network telemetry.
- Monitor file integrity on PeopleTools binaries, configuration files, and PS_HOME for unauthorized modifications.
- Track creation of new PeopleSoft user accounts, role grants, and permission list changes, especially outside change-control windows.
How to Mitigate CVE-2026-35276
Immediate Actions Required
- Apply the June 2026 Oracle Critical Security Patch Update to PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 without delay.
- Inventory all PeopleTools deployments, including non-production and DR environments, to confirm patch coverage.
- Restrict network exposure of the PeopleSoft Application Server and web tier to trusted client networks only.
- Review recent Application Server and web server logs for signs of exploitation prior to patching.
Patch Information
Oracle released fixes in the June 2026 Critical Security Patch Update. Customers should consult the Oracle Security Alert June 2026 for patch identifiers, prerequisites, and supported upgrade paths for PeopleTools 8.61 and 8.62.
Workarounds
- Place the PeopleSoft web and Application Server tiers behind a web application firewall configured to block unauthenticated access to administrative URIs.
- Enforce IP allow-listing on perimeter devices so only known corporate ranges and VPN egress can reach PeopleSoft HTTP endpoints.
- Disable or firewall integration broker and admin endpoints that are not required for production operation until the patch is applied.
- Increase logging verbosity on the Application Server to support detection while the patch rollout is in progress.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
