How is CVE-2026-35274 exploited?

Network reachability (required): The attacker must reach the PeopleTools Deployment Package service over the network via HTTP; no physical or local access is needed. Authentication (not-required): No credentials of any privilege level are required; the vulnerability is exploitable by a fully unauthenticated attacker. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is entirely attacker-driven. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-35274?

An attacker reads the full dataset accessible to the PeopleTools application, which can include HR records, payroll data, configuration secrets, and session material. An attacker inserts, modifies, or deletes a subset of application data, allowing targeted tampering with records the service can write to. No availability impact is rated, so the service itself is not expected to crash or become unavailable as a direct result of exploitation.

Back to search

HIGHCVE-2026-35274Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35274: Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package)

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PT PeopleTools accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise PT PeopleTools accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated network-exploitable vulnerability affects the Deployment Package component of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62. Any attacker with HTTP access to the service can exploit it without any credentials or victim interaction, making it straightforward to trigger at scale. Successful exploitation gives an attacker full read access to all data the application can reach, plus limited ability to write, insert, or delete some of that data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from Oracle and upstream security feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that layer PeopleTools components.

Available

Triage

HarborGuard scores this CVE at CVSS 8.2 HIGH and is capable of weighting that score against each customer environment's compliance policy, routing findings to the appropriate team inbox for prioritization.

Available

Patch

Because no fix version has been published by Oracle, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the PeopleTools Deployment Package service over the network via HTTP; no physical or local access is needed.
AuthenticationNot required
No credentials of any privilege level are required; the vulnerability is exploitable by a fully unauthenticated attacker.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is entirely attacker-driven.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

Blast Radius

An attacker reads the full dataset accessible to the PeopleTools application, which can include HR records, payroll data, configuration secrets, and session material.
An attacker inserts, modifies, or deletes a subset of application data, allowing targeted tampering with records the service can write to.
No availability impact is rated, so the service itself is not expected to crash or become unavailable as a direct result of exploitation.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer image inventories at CVSS 8.2 HIGH. Because Oracle has not yet published a fix for PeopleTools 8.61 or 8.62, no patched-image rebuild can be generated today. In the interim, customers can use HarborGuard's network-policy controls to flag images containing affected PeopleTools versions and apply compensating controls such as restricting HTTP ingress to the Deployment Package endpoint via egress-filter rules or service-mesh policy, and disabling the Deployment Package feature flag if the component is not operationally required. HarborGuard will re-check the Oracle advisory on every ingest cycle; the moment a fix version is published, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

Oracle Corporation / PeopleSoft Enterprise PT PeopleTools
8.61 · 8.62

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

Oracle Advisory

Metrics

Get notified