CVE-2026-35278 Overview
CVE-2026-35278 is a critical authentication bypass vulnerability in the Performance Monitor component of Oracle PeopleSoft Enterprise PT PeopleTools. The flaw affects supported versions 8.61 and 8.62. An unauthenticated remote attacker with network access over HTTP can exploit the issue to fully compromise PeopleSoft Enterprise PT PeopleTools. The underlying weakness is classified as [CWE-306] Missing Authentication for Critical Function.
Critical Impact
Successful exploitation results in complete takeover of PeopleSoft Enterprise PT PeopleTools, with full loss of confidentiality, integrity, and availability.
Affected Products
- Oracle PeopleSoft Enterprise PT PeopleTools 8.61
- Oracle PeopleSoft Enterprise PT PeopleTools 8.62
- Component: Performance Monitor
Discovery Timeline
- 2026-06-17 - CVE-2026-35278 published to NVD
- 2026-06-18 - Last updated in NVD database
- 2026-06-18 - EPSS score recorded at 0.537% (40.9th percentile)
Technical Details for CVE-2026-35278
Vulnerability Analysis
The vulnerability resides in the Performance Monitor component of PeopleSoft PT PeopleTools. Oracle's advisory describes it as easily exploitable by an unauthenticated attacker reaching the service over HTTP. The attack requires no user interaction and no prior privileges. Successful exploitation yields full takeover of the PeopleTools instance, impacting confidentiality, integrity, and availability of hosted PeopleSoft applications.
Because PeopleTools underpins HCM, Financials, and Campus Solutions deployments, a compromised Performance Monitor host can pivot to backend application servers, web servers, and database tiers. Attackers who gain administrative control can extract employee records, financial data, and authentication material.
Root Cause
The Common Weakness Enumeration is [CWE-306] Missing Authentication for Critical Function. A privileged operation exposed by the Performance Monitor accepts requests without verifying caller identity. Any network-reachable client can invoke the function and reach a code path that should be restricted to authenticated administrators.
Attack Vector
Exploitation requires only network access to the HTTP interface of the Performance Monitor servlet. An attacker sends a crafted HTTP request to the unauthenticated endpoint. No credentials, tokens, or session cookies are required. Refer to the Oracle Security Alert for vendor-supplied technical details. No public proof-of-concept code is currently associated with this CVE.
Detection Methods for CVE-2026-35278
Indicators of Compromise
- Unauthenticated HTTP requests targeting Performance Monitor servlet paths under the PeopleSoft web server (/psp/, /psc/, ppmi endpoints).
- Unexpected new PeopleSoft administrative accounts, role grants, or modified PSOPRDEFN records.
- Outbound connections from PeopleTools application servers to unfamiliar external hosts shortly after anomalous HTTP traffic.
- Java process spawns of OS shells (cmd.exe, /bin/sh) under the PeopleSoft service account.
Detection Strategies
- Inspect web server access logs for requests to Performance Monitor URIs that lack valid session cookies or authentication headers.
- Alert on HTTP responses with status 200 from monitor endpoints when the request did not pass through the PeopleSoft sign-on servlet.
- Correlate web tier requests with downstream Tuxedo application server calls to detect unauthenticated administrative invocations.
Monitoring Recommendations
- Forward PeopleSoft web server, application server, and Performance Monitor logs to a centralized SIEM for retention and correlation.
- Baseline normal Performance Monitor traffic volume and source IP ranges, then alert on deviations.
- Monitor PeopleSoft database audit tables for changes to security-relevant records originating from monitor-related sessions.
How to Mitigate CVE-2026-35278
Immediate Actions Required
- Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert to PeopleTools 8.61 and 8.62 deployments.
- Restrict network access to PeopleSoft web servers so that only trusted corporate networks and VPN ranges can reach HTTP endpoints.
- Audit PeopleSoft accounts, roles, and permission lists for unauthorized changes since June 2026.
Patch Information
Oracle addressed CVE-2026-35278 in the June 2026 Critical Patch Update. Administrators should download the corresponding PeopleTools patch from My Oracle Support and apply it to all PeopleTools 8.61 and 8.62 environments, including development, test, and production tiers. Validate patch deployment by confirming the build number reported by PeopleTools matches the fixed release.
Workarounds
- Block external access to Performance Monitor URIs at the reverse proxy or web application firewall until the patch is applied.
- Disable the Performance Monitor in environments where it is not actively required.
- Place PeopleSoft web tiers behind authenticated reverse proxies to enforce identity checks before traffic reaches the vulnerable component.
# Example reverse proxy rule to block unauthenticated Performance Monitor access
# Adjust paths to match your PeopleSoft deployment
location ~* ^/(ppmi|monitor)/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
