CVE-2026-35273

CVE-2026-35273 is a critical-severity vulnerability in Oracle Peoplesoft Enterprise Peopletools with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-06-12). The underlying weakness is classified as CWE-306.

Key facts

Description

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2026-35273: Unauthenticated Remote Takeover in Oracle PeopleSoft Enterprise PeopleTools

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2026-35273
Vendor Oracle
Product PeopleSoft Enterprise PeopleTools
Component Updates Environment Management
CVSS 3.1 9.8 (Critical)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-306: Missing Authentication for Critical Function
EPSS 0.9233 (92.33%) — 99.81st percentile
KEV Yes (CISA, added 2026-06-12)
EU Exploited Yes (since 2026-06-12)

Summary

Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 contain a critical vulnerability in the Updates Environment Management component. An unauthenticated attacker with network access can exploit this flaw via HTTP to achieve a complete compromise of the PeopleTools instance, including unauthorized access to confidential data, system modification, and service disruption.

Background

PeopleSoft Enterprise PeopleTools is the foundational technical layer underlying Oracle's PeopleSoft applications, providing development, runtime, and administrative capabilities. The Updates Environment Management component is responsible for managing update environments and deployment workflows within the PeopleSoft ecosystem. A security flaw in this component's access controls has been identified and is actively being exploited in the wild.

Root Cause

CWE-306: Missing Authentication for Critical Function

The vulnerability stems from a failure to enforce authentication on a critical function within the Updates Environment Management component. The affected endpoint or functionality does not verify that the requesting party has valid credentials before executing sensitive operations. This design oversight allows any network-reachable actor to interact with administrative-level capabilities without presenting authentication material, effectively bypassing the application's identity and access control boundary.

Impact

The CVSS 3.1 score of 9.8 (Critical) reflects the severe and wide-reaching impact of this vulnerability:

  • Attack Vector (AV): Network — Exploitable remotely over the internet without physical or local network presence.
  • Attack Complexity (AC): Low — No special conditions or advanced techniques are required.
  • Privileges Required (PR): None — No user account or credentials are needed.
  • User Interaction (UI): None — No social engineering or user action is required.
  • Scope (S): Unchanged — The vulnerable component itself is compromised.
  • Confidentiality (C): High — Attackers can access sensitive data.
  • Integrity (I): High — Attackers can modify data or system configuration.
  • Availability (A): High — Attackers can disrupt service operations.

Successful exploitation results in complete takeover of the PeopleSoft Enterprise PeopleTools instance, granting the attacker equivalent capabilities to a legitimate administrator.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness and detection engineering only. No weaponized exploit code is included. Organizations should use this information to prioritize patching and detection, not to attempt unauthorized access.

An attacker can exploit this vulnerability by sending crafted HTTP requests to the affected Updates Environment Management endpoint. Because the component fails to authenticate requests, the attacker does not need to obtain valid credentials, session tokens, or API keys. The attacker may be able to:

  • Invoke administrative functions exposed by the component.
  • Retrieve or modify environment configuration data.
  • Potentially chain the access into broader system compromise.

Defensive notes:

  • Monitor HTTP access logs to the Updates Environment Management paths for anomalous request patterns from unexpected source IPs.
  • Look for requests that trigger administrative actions without preceding authentication events.
  • Consider geo-blocking or IP-restriction where the component does not require global internet exposure.

Affected and Patched Versions

Status Versions
Affected 8.61, 8.62
Patched Contact Oracle or refer to the Oracle security alert for patch availability and supported patch versions.

Remediation

  1. Apply Vendor Patches: Consult Oracle's official security alert for CVE-2026-35273 and apply the recommended patch or upgrade to a non-vulnerable version as soon as possible.
  2. Network Segmentation: Restrict network access to the PeopleSoft Enterprise PeopleTools administration interfaces. Do not expose Updates Environment Management endpoints to the public internet unless absolutely necessary.
  3. Web Application Firewall (WAF): Deploy WAF rules to block anomalous HTTP requests targeting the affected component paths, as a temporary compensating control until patching is completed.
  4. Access Logging and Monitoring: Ensure comprehensive logging is enabled for all HTTP traffic to PeopleTools components. Forward logs to a SIEM for real-time correlation and alerting.
  5. Credential Review: As a post-incident precaution, rotate administrative credentials and review access logs for indicators of unauthorized access during the exposure window.

Detection

  • Log Sources: HTTP access logs, application logs from the PeopleSoft web tier, and reverse proxy logs.
  • Indicators: Unauthenticated HTTP requests to the Updates Environment Management component that return successful status codes (e.g., 200 OK) rather than authentication redirects (e.g., 302 or 401).
  • Anomaly Patterns: Requests originating from unexpected geographies, Tor exit nodes, or cloud hosting IPs; sudden spikes in requests to administrative paths; requests lacking session cookies or authorization headers.
  • Threat Intelligence: Correlate source IPs against known threat actor infrastructure and CISA's KEV catalog updates.

Assessment

CVE-2026-35273 is an exceptionally high-risk vulnerability. With a CVSS 3.1 score of 9.8, an EPSS of 92.33%, and confirmed inclusion in both the CISA KEV catalog and EU exploited vulnerabilities database (active since 2026-06-12), this flaw is being actively leveraged by threat actors in the wild. Organizations running affected PeopleTools versions should treat this as an emergency patching event.

Key lessons:

  1. Authentication is non-negotiable on administrative endpoints: Even internal-facing components must enforce strong authentication, as network boundaries can be bridged more easily than assumed.
  2. EPSS and KEV status should drive prioritization: The combination of a near-maximum EPSS score and rapid KEV inclusion (one day after publication) demonstrates that attackers moved quickly to weaponize this flaw. Security teams should integrate EPSS and KEV feeds directly into vulnerability prioritization workflows.

References

Frequently asked questions

What is CVE-2026-35273?
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
How severe is CVE-2026-35273?
CVE-2026-35273 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-35273 being actively exploited?
Yes. CVE-2026-35273 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-06-12, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2026-35273?
CVE-2026-35273 primarily affects Oracle Peoplesoft Enterprise Peopletools. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-35273?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2026-35273 have an EU (EUVD) identifier?
Yes. CVE-2026-35273 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-36199. It is also flagged as exploited in the EUVD (since 2026-06-12).
When was CVE-2026-35273 published?
CVE-2026-35273 was published on 2026-06-11 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Oracle Peoplesoft Enterprise Peopletools

All CVEs affecting Oracle Peoplesoft Enterprise Peopletools →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →