HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35276Published Modified CNA oracle

CVE-2026-35276: Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server)

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated remote attack vulnerability exists in the Application Server component of Oracle PeopleSoft Enterprise PT PeopleTools (versions 8.61 and 8.62). The flaw is reachable over HTTP without any credentials, though exploitation requires meeting high-complexity conditions. Successful exploitation gives the attacker full control of the PeopleTools instance, including read and write access to all data and the ability to disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle PeopleTools components. Any image running an affected version (8.61 or 8.62) of PeopleSoft Enterprise PT PeopleTools is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and surfaces it with that rating in each customer's findings dashboard, weighted further by any per-environment compliance policy rules the customer has configured. Triage routing directs the finding to the team or inbox designated by each customer org for high-severity network-exposed vulnerabilities.

Available
Patch

Because Oracle has not yet published a fix version, HarborGuard re-checks the Oracle and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will follow without manual intervention once the fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the PeopleTools Application Server over the network via HTTP; no local or physical access is assumed.

  • AuthenticationNot required

    No credentials are needed; the vulnerable endpoint is accessible to unauthenticated requests.

  • Victim interactionNot required

    The attacker does not need any action from a logged-in user or administrator to trigger the vulnerability.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must satisfy specific environmental or timing conditions (such as race conditions or particular server state) before the attack reliably succeeds.

Blast Radius

  • A successful attacker reads all data accessible to the PeopleTools Application Server, including HR records, financial data, and session tokens stored within the platform.
  • The attacker can write or modify persisted data across PeopleTools-managed databases and configuration stores.
  • Full process-level takeover of the Application Server is achievable, enabling the attacker to install backdoors or pivot to connected backend systems.
  • The attacker can crash or degrade the Application Server, denying access to all PeopleSoft services that depend on it.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet released a fix for CVE-2026-35276, the recommended immediate steps are compensating controls while monitoring continues. HarborGuard's advisory tracker re-checks Oracle's CPU (Critical Patch Update) feed and NVD on every ingest cycle; customers receive an updated finding and rebuild offer automatically when a patch version is published. In the interim, customers can use HarborGuard's network-policy recommendation feature to generate a deny-by-default ingress rule scoped to the PeopleTools Application Server port, limiting HTTP exposure to known source IP ranges. Egress filtering rules are also available to restrict lateral movement from a compromised Application Server container. For customers who opt into auto-remediation, the full rebuild, regression-test run, and PR-against-affected-workloads flow will trigger without manual intervention as soon as Oracle ships a fix and HarborGuard ingests the patched base image.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / PeopleSoft Enterprise PT PeopleTools
    8.61 · 8.62
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References