CVE-2026-35288 Overview
CVE-2026-35288 is a privilege management vulnerability [CWE-269] in the Oracle PeopleSoft Enterprise PT PeopleTools product, specifically within the Deployment Package component. Affected versions include 8.61 and 8.62. The flaw allows a high-privileged attacker with logon access to the infrastructure running PeopleTools to fully compromise the product. Because the vulnerability triggers a scope change, exploitation can extend impact to additional products beyond PeopleTools. Oracle disclosed the issue in its June 2026 Critical Patch Update.
Critical Impact
Successful exploitation results in complete takeover of PeopleSoft Enterprise PT PeopleTools, with confidentiality, integrity, and availability impacts extending to adjacent products through scope change.
Affected Products
- Oracle PeopleSoft Enterprise PT PeopleTools 8.61
- Oracle PeopleSoft Enterprise PT PeopleTools 8.62
- Deployment Package component
Discovery Timeline
- 2026-06-17 - CVE-2026-35288 published to the National Vulnerability Database (NVD)
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-35288
Vulnerability Analysis
The vulnerability resides in the Deployment Package component of PeopleSoft Enterprise PT PeopleTools. It is classified under [CWE-269] Improper Privilege Management, indicating that the component fails to correctly assign, track, or revoke privileges during deployment operations. An attacker who already holds elevated privileges on the host where PeopleTools executes can abuse this weakness to seize control of the application.
The scope change indicator in the CVSS vector signals that the impact crosses a security authority boundary. Exploitation does not remain confined to PeopleTools and can affect additional products that share the infrastructure or trust relationships with the compromised instance.
Oracle classifies the issue as easily exploitable, with full impact across confidentiality, integrity, and availability. The attack requires local access and no user interaction, making it well suited for post-compromise lateral movement scenarios where an adversary has already obtained administrative footholds.
Root Cause
The Deployment Package component performs operations without enforcing strict privilege boundaries. A user with administrative logon to the infrastructure can manipulate deployment functionality to execute actions or access resources outside the intended privilege envelope, leading to takeover of the PeopleTools instance.
Attack Vector
The attack vector is local. An attacker must first authenticate to the infrastructure where PeopleTools runs with high privileges. From that position, the attacker interacts with the Deployment Package component to escalate control over PeopleTools and pivot to connected products. Refer to the Oracle Critical Patch Update Advisory - June 2026 for vendor-supplied technical details.
Detection Methods for CVE-2026-35288
Indicators of Compromise
- Unexpected Deployment Package operations executed outside scheduled change windows
- New or modified PeopleTools administrative accounts following privileged logon events
- Anomalous file writes or process executions originating from PeopleTools deployment processes
- Outbound connections from PeopleTools hosts to non-standard internal systems indicating scope-change exploitation
Detection Strategies
- Audit privileged logons to PeopleSoft infrastructure hosts and correlate them with Deployment Package activity
- Baseline normal Deployment Package usage patterns and alert on deviations in frequency, source account, or target artifacts
- Monitor PeopleTools application and OS logs for privilege transitions that do not match documented change tickets
Monitoring Recommendations
- Forward PeopleTools, database, and host operating system logs to a centralized analytics platform for cross-source correlation
- Track integrity of PeopleTools binaries, configuration files, and deployment manifests using file integrity monitoring
- Alert on lateral movement attempts from PeopleTools hosts to adjacent Oracle products that share trust relationships
How to Mitigate CVE-2026-35288
Immediate Actions Required
- Apply the fixes from the Oracle June 2026 Critical Patch Update to all PeopleTools 8.61 and 8.62 deployments
- Inventory all infrastructure hosts running PeopleTools and confirm patch coverage across production and non-production tiers
- Review and reduce the number of accounts holding high-privilege logon rights on PeopleTools infrastructure
- Rotate credentials for administrative accounts that have recently accessed affected systems
Patch Information
Oracle published fixes as part of the June 2026 Critical Patch Update. Administrators should consult the Oracle Critical Patch Update Advisory - June 2026 for the exact patch identifiers, prerequisites, and product-specific installation guidance.
Workarounds
- Restrict logon access to PeopleTools infrastructure to a minimal set of named administrators until patches are applied
- Enforce multi-factor authentication and just-in-time elevation for privileged accounts that operate the Deployment Package component
- Segment PeopleTools hosts from adjacent Oracle products to limit blast radius from scope-change exploitation
- Increase audit logging verbosity on Deployment Package operations and review logs daily during the remediation window
# Configuration example
# Review accounts with privileged logon to PeopleTools hosts (Linux)
awk -F: '($3<1000)&&($7!~/nologin|false/){print $1":"$3":"$7}' /etc/passwd
# Audit recent privileged sessions
last -F | grep -iE 'root|psadm|oracle' | head -50
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
