CVE-2026-35279 Overview
CVE-2026-35279 affects the Performance Monitor component of Oracle PeopleSoft Enterprise PT PeopleTools. The flaw allows an unauthenticated remote attacker with network access via HTTP to compromise the affected installation. Successful exploitation results in full takeover of PeopleSoft Enterprise PT PeopleTools, impacting confidentiality, integrity, and availability. The weakness is classified under [CWE-306] Missing Authentication for Critical Function. Oracle addressed this issue in its June 2026 Critical Patch Update.
Critical Impact
An unauthenticated attacker reachable over HTTP can take over PeopleSoft Enterprise PT PeopleTools, gaining control over sensitive enterprise data and administrative functions.
Affected Products
- Oracle PeopleSoft Enterprise PT PeopleTools version 8.61
- Oracle PeopleSoft Enterprise PT PeopleTools version 8.62
- Performance Monitor component
Discovery Timeline
- 2026-06-17 - CVE-2026-35279 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-35279
Vulnerability Analysis
The vulnerability resides in the Performance Monitor component of PeopleSoft PT PeopleTools. Performance Monitor exposes HTTP-accessible interfaces used to collect and view runtime telemetry from PeopleSoft application servers. A function critical to system trust does not properly enforce authentication, enabling a remote attacker to interact with privileged operations without valid credentials.
Exploitation requires specific preconditions, reflected in the high attack complexity rating. Despite the complexity, successful attacks yield total compromise of the PeopleTools installation, including confidentiality, integrity, and availability of business-critical data. EPSS data places the probability of exploitation at 0.373%.
Root Cause
The root cause is Missing Authentication for Critical Function [CWE-306]. A function within the Performance Monitor reachable over HTTP performs sensitive operations without verifying the requester's identity. Attackers that satisfy the required conditions can invoke this function directly and pivot to full application takeover.
Attack Vector
The attack vector is network-based over HTTP and requires no authentication or user interaction. An attacker sends crafted HTTP requests to a reachable Performance Monitor endpoint on a vulnerable PeopleTools 8.61 or 8.62 deployment. Because Performance Monitor endpoints are commonly bound to internal application server URLs, exposure depends on network segmentation and reverse proxy configuration.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Oracle Security Alert for vendor technical details.
Detection Methods for CVE-2026-35279
Indicators of Compromise
- Unauthenticated HTTP requests to Performance Monitor servlet paths under the PeopleSoft web server
- Unexpected administrative operations or configuration changes performed without an associated authenticated session
- New or modified PeopleTools user accounts, roles, or permission lists created outside change windows
- Outbound connections from PeopleSoft application servers to unfamiliar hosts following inbound HTTP traffic
Detection Strategies
- Inspect PeopleSoft web server access logs for requests targeting Performance Monitor endpoints that lack a valid session cookie or authentication header
- Correlate HTTP request patterns against process execution telemetry on PeopleSoft application servers to identify post-request command activity
- Alert on PeopleTools PSAESRV or PSAPPSRV processes spawning shells, scripting interpreters, or unexpected child processes
Monitoring Recommendations
- Forward web server, application server, and operating system logs to a centralized analytics platform for sustained review
- Baseline normal Performance Monitor traffic volumes and source IP ranges, then alert on deviations
- Monitor for privilege changes and schema modifications in the PeopleSoft database tier that lack corresponding authenticated user activity
How to Mitigate CVE-2026-35279
Immediate Actions Required
- Apply the Oracle Critical Patch Update from June 2026 to all PeopleTools 8.61 and 8.62 installations
- Inventory all PeopleSoft environments, including non-production and disaster recovery instances, and prioritize internet-exposed systems
- Restrict network access to Performance Monitor endpoints to trusted administrative networks only
- Review web server and application server logs for prior unauthenticated requests to Performance Monitor paths
Patch Information
Oracle published the fix as part of the June 2026 Critical Patch Update. Administrators should consult the Oracle Security Alert for affected version details, patch identifiers, and installation instructions. Apply fixes to both PeopleTools binaries and any dependent middleware components specified by Oracle.
Workarounds
- Disable the Performance Monitor component if it is not in active use within the environment
- Place PeopleSoft web tier behind a reverse proxy or WAF that blocks external requests to Performance Monitor URI paths
- Enforce IP allow-listing on the application server for Performance Monitor servlets until the patch is deployed
- Require mutual TLS or network-level authentication on management interfaces exposing PeopleTools functions
# Example reverse proxy rule to block external access to Performance Monitor paths
location ~* /psp/.*PERFMON.* {
allow 10.0.0.0/8;
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
