CVE-2026-35289: PeopleSoft PeopleTools Auth Bypass Flaw

CVE-2026-35289 Overview

CVE-2026-35289 is a high-severity vulnerability affecting the Deployment Package component of Oracle PeopleSoft Enterprise PT PeopleTools. Supported versions 8.61 and 8.62 are affected. An unauthenticated attacker with network access via HTTPS can exploit this flaw to fully compromise PeopleSoft Enterprise PT PeopleTools. The weakness is classified as Missing Authentication for Critical Function [CWE-306]. Successful exploitation results in complete takeover of the affected PeopleTools instance, impacting confidentiality, integrity, and availability.

Critical Impact
Unauthenticated network attackers can take over Oracle PeopleSoft Enterprise PT PeopleTools deployments, gaining control over confidentiality, integrity, and availability of the application.

Affected Products

Oracle PeopleSoft Enterprise PT PeopleTools 8.61
Oracle PeopleSoft Enterprise PT PeopleTools 8.62
Component: Deployment Package

Discovery Timeline

2026-06-17 - CVE-2026-35289 published to NVD
2026-06-18 - Last updated in NVD database
June 2026 - Addressed in Oracle Security Alert June 2026

Technical Details for CVE-2026-35289

Vulnerability Analysis

The vulnerability resides in the Deployment Package component of PeopleSoft Enterprise PT PeopleTools. The component fails to enforce authentication on a critical function, allowing an unauthenticated remote attacker to interact with privileged functionality over HTTPS. Successful exploitation leads to full takeover of the PeopleTools instance, including the ability to read sensitive data, modify application state, and disrupt service availability.

Exploitation requires meeting specific preconditions, raising attack complexity. However, no privileges or user interaction are required, and the attack is delivered entirely over the network. This makes internet-exposed PeopleSoft deployments a viable target for opportunistic and targeted intrusions.

Root Cause

The root cause is Missing Authentication for Critical Function [CWE-306]. The Deployment Package component exposes functionality that should require authenticated, authorized access but instead permits anonymous callers to reach it. When a critical operation lacks an authentication check, attackers can invoke the operation directly without supplying valid credentials.

Attack Vector

The attack vector is network-based via HTTPS. An attacker sends crafted HTTPS requests to a vulnerable PeopleTools Deployment Package endpoint. Because no credentials are validated, the request is processed with privileges sufficient to alter or take over the PeopleTools environment. The scope remains unchanged, but confidentiality, integrity, and availability are all fully impacted.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability indicates a low near-term exploitation likelihood, but unauthenticated network reachability makes prompt patching essential for any internet-facing deployment.

Detection Methods for CVE-2026-35289

Indicators of Compromise

Unexpected HTTPS requests to PeopleSoft Deployment Package endpoints originating from external or non-administrative source addresses.
Creation or modification of PeopleTools deployment artifacts outside of scheduled change windows.
New administrative accounts, scheduled jobs, or service principals appearing in PeopleSoft audit logs without a corresponding change ticket.
Outbound connections from PeopleTools application servers to unknown external hosts following anomalous inbound HTTPS traffic.

Detection Strategies

Inspect web server and application server logs for unauthenticated requests reaching Deployment Package URLs and flag responses with 2xx status codes.
Correlate PeopleSoft audit logs with web traffic logs to detect privileged operations that lack a preceding successful authentication event.
Baseline normal Deployment Package usage by administrator accounts and alert on deviations in request volume, source IP, or User-Agent.

Monitoring Recommendations

Forward PeopleSoft application, web, and database audit logs to a centralized analytics platform for cross-source correlation.
Enable file integrity monitoring on PeopleTools configuration directories and deployment package storage locations.
Monitor for process execution and child process creation on PeopleTools servers that deviates from established operational baselines.

How to Mitigate CVE-2026-35289

Immediate Actions Required

Apply the patch from the Oracle Security Alert June 2026 advisory to all PeopleTools 8.61 and 8.62 instances.
Inventory all PeopleSoft deployments and confirm version, exposure, and patch status before prioritizing remediation.
Restrict network access to PeopleTools Deployment Package endpoints to trusted administrative networks only.
Review authentication and authorization logs for the past 90 days for signs of anonymous access to privileged functions.

Patch Information

Oracle addressed CVE-2026-35289 as part of its June 2026 Critical Patch Update. Administrators should download and apply the relevant PeopleTools patches for versions 8.61 and 8.62 from My Oracle Support, following the guidance in the Oracle Security Alert June 2026.

Workarounds

Place PeopleTools application and web tiers behind a reverse proxy or web application firewall that enforces authentication before requests reach Deployment Package endpoints.
Block external access to Deployment Package URLs at the network perimeter and restrict to a management VLAN until patches can be applied.
Disable or remove unused Deployment Package functionality if not required for current operations.

bash

# Example: restrict access to PeopleSoft Deployment Package paths at the web tier
# (Apache HTTP Server configuration snippet — adapt paths to your environment)
<Location "/psp/deployment">
    Require ip 10.10.0.0/16
    Require ip 10.20.5.0/24
    AuthType Basic
    AuthName "PeopleSoft Admin"
    Require valid-user
</Location>