CVE-2026-35273
CVE-2026-35273 is a critical-severity vulnerability in Oracle Peoplesoft Enterprise Peopletools with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-06-12). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 92% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-06-12)
- EU (EUVD) id: EUVD-2026-36199
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-06-12)
- Weakness: CWE-306
- Affected product: Oracle Peoplesoft Enterprise Peopletools
- Published:
- Last modified:
Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2026-35273: Unauthenticated Remote Takeover in Oracle PeopleSoft Enterprise PeopleTools
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-35273 |
| Vendor | Oracle |
| Product | PeopleSoft Enterprise PeopleTools |
| Component | Updates Environment Management |
| CVSS 3.1 | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-306: Missing Authentication for Critical Function |
| EPSS | 0.9233 (92.33%) — 99.81st percentile |
| KEV | Yes (CISA, added 2026-06-12) |
| EU Exploited | Yes (since 2026-06-12) |
Summary
Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 contain a critical vulnerability in the Updates Environment Management component. An unauthenticated attacker with network access can exploit this flaw via HTTP to achieve a complete compromise of the PeopleTools instance, including unauthorized access to confidential data, system modification, and service disruption.
Background
PeopleSoft Enterprise PeopleTools is the foundational technical layer underlying Oracle's PeopleSoft applications, providing development, runtime, and administrative capabilities. The Updates Environment Management component is responsible for managing update environments and deployment workflows within the PeopleSoft ecosystem. A security flaw in this component's access controls has been identified and is actively being exploited in the wild.
Root Cause
CWE-306: Missing Authentication for Critical Function
The vulnerability stems from a failure to enforce authentication on a critical function within the Updates Environment Management component. The affected endpoint or functionality does not verify that the requesting party has valid credentials before executing sensitive operations. This design oversight allows any network-reachable actor to interact with administrative-level capabilities without presenting authentication material, effectively bypassing the application's identity and access control boundary.
Impact
The CVSS 3.1 score of 9.8 (Critical) reflects the severe and wide-reaching impact of this vulnerability:
- Attack Vector (AV): Network — Exploitable remotely over the internet without physical or local network presence.
- Attack Complexity (AC): Low — No special conditions or advanced techniques are required.
- Privileges Required (PR): None — No user account or credentials are needed.
- User Interaction (UI): None — No social engineering or user action is required.
- Scope (S): Unchanged — The vulnerable component itself is compromised.
- Confidentiality (C): High — Attackers can access sensitive data.
- Integrity (I): High — Attackers can modify data or system configuration.
- Availability (A): High — Attackers can disrupt service operations.
Successful exploitation results in complete takeover of the PeopleSoft Enterprise PeopleTools instance, granting the attacker equivalent capabilities to a legitimate administrator.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness and detection engineering only. No weaponized exploit code is included. Organizations should use this information to prioritize patching and detection, not to attempt unauthorized access.
An attacker can exploit this vulnerability by sending crafted HTTP requests to the affected Updates Environment Management endpoint. Because the component fails to authenticate requests, the attacker does not need to obtain valid credentials, session tokens, or API keys. The attacker may be able to:
- Invoke administrative functions exposed by the component.
- Retrieve or modify environment configuration data.
- Potentially chain the access into broader system compromise.
Defensive notes:
- Monitor HTTP access logs to the Updates Environment Management paths for anomalous request patterns from unexpected source IPs.
- Look for requests that trigger administrative actions without preceding authentication events.
- Consider geo-blocking or IP-restriction where the component does not require global internet exposure.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | 8.61, 8.62 |
| Patched | Contact Oracle or refer to the Oracle security alert for patch availability and supported patch versions. |
Remediation
- Apply Vendor Patches: Consult Oracle's official security alert for CVE-2026-35273 and apply the recommended patch or upgrade to a non-vulnerable version as soon as possible.
- Network Segmentation: Restrict network access to the PeopleSoft Enterprise PeopleTools administration interfaces. Do not expose Updates Environment Management endpoints to the public internet unless absolutely necessary.
- Web Application Firewall (WAF): Deploy WAF rules to block anomalous HTTP requests targeting the affected component paths, as a temporary compensating control until patching is completed.
- Access Logging and Monitoring: Ensure comprehensive logging is enabled for all HTTP traffic to PeopleTools components. Forward logs to a SIEM for real-time correlation and alerting.
- Credential Review: As a post-incident precaution, rotate administrative credentials and review access logs for indicators of unauthorized access during the exposure window.
Detection
- Log Sources: HTTP access logs, application logs from the PeopleSoft web tier, and reverse proxy logs.
- Indicators: Unauthenticated HTTP requests to the Updates Environment Management component that return successful status codes (e.g., 200 OK) rather than authentication redirects (e.g., 302 or 401).
- Anomaly Patterns: Requests originating from unexpected geographies, Tor exit nodes, or cloud hosting IPs; sudden spikes in requests to administrative paths; requests lacking session cookies or authorization headers.
- Threat Intelligence: Correlate source IPs against known threat actor infrastructure and CISA's KEV catalog updates.
Assessment
CVE-2026-35273 is an exceptionally high-risk vulnerability. With a CVSS 3.1 score of 9.8, an EPSS of 92.33%, and confirmed inclusion in both the CISA KEV catalog and EU exploited vulnerabilities database (active since 2026-06-12), this flaw is being actively leveraged by threat actors in the wild. Organizations running affected PeopleTools versions should treat this as an emergency patching event.
Key lessons:
- Authentication is non-negotiable on administrative endpoints: Even internal-facing components must enforce strong authentication, as network boundaries can be bridged more easily than assumed.
- EPSS and KEV status should drive prioritization: The combination of a near-maximum EPSS score and rapid KEV inclusion (one day after publication) demonstrates that attackers moved quickly to weaponize this flaw. Security teams should integrate EPSS and KEV feeds directly into vulnerability prioritization workflows.
References
Frequently asked questions
- What is CVE-2026-35273?
- Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- How severe is CVE-2026-35273?
- CVE-2026-35273 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-35273 being actively exploited?
- Yes. CVE-2026-35273 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-06-12, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-35273?
- CVE-2026-35273 primarily affects Oracle Peoplesoft Enterprise Peopletools. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-35273?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-35273 have an EU (EUVD) identifier?
- Yes. CVE-2026-35273 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-36199. It is also flagged as exploited in the EUVD (since 2026-06-12).
- When was CVE-2026-35273 published?
- CVE-2026-35273 was published on 2026-06-11 and last updated on 2026-06-17.
References
- https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273
Affected products (2)
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*
More vulnerabilities in Oracle Peoplesoft Enterprise Peopletools
- CVE-2008-0345 — Critical (CVSS 10.0): Unspecified vulnerability in the Core RDBMS component in Oracle Database 11.1.0.6 has unknown impact and remote attack…
- CVE-2008-0344 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.3 has unknown impact…
- CVE-2008-0340 — Critical (CVSS 10.0): Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 have…
- CVE-2008-0347 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Ultra Search component in Oracle Collaboration Suite 10.1.2; Database 9.2.0.8,…
- CVE-2008-0343 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Spatial component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, and…
- CVE-2008-0346 — Critical (CVSS 10.0): Unspecified vulnerability in the Oracle Jinitiator component in Oracle Application Server 1.3.1.27 and E-Business Suite…
All CVEs affecting Oracle Peoplesoft Enterprise Peopletools →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →