HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35278Published Modified CNA oracle

CVE-2026-35278: Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor)

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity unauthenticated remote compromise vulnerability in the Performance Monitor component of Oracle PeopleSoft Enterprise PT PeopleTools (versions 8.61 and 8.62). The flaw is reachable over the network via HTTP and requires no credentials or victim interaction, making it trivially exploitable by any attacker who can reach the service. Successful exploitation results in full takeover of the PeopleSoft Enterprise PT PeopleTools environment, with complete loss of confidentiality, integrity, and availability. No fix versions have been published by Oracle; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-35278 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from PeopleSoft base layers.

Available
Triage

Triage capability is available with the CVSS 3.1 base score of 9.8 (Critical) surfaced alongside each matched image; per-environment compliance policy weighting can escalate or re-route the finding to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, the advisory remains open and flagged at Critical priority within each environment where affected image layers are detected.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the PeopleSoft Performance Monitor component over the network via HTTP; there is no local-only or adjacent-network restriction.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable endpoint is exposed to unauthenticated requests.

  • Victim interactionNot required

    The attacker does not need any action from a user or administrator to trigger the vulnerability.

  • Attack complexityDetail

    Exploit complexity is low, meaning the attack is reliable and repeatable with no special environmental conditions, race conditions, or target-specific configuration required.

Blast Radius

  • A successful attacker reads all data accessible to the PeopleSoft application, including HR records, financial data, and stored session tokens.
  • A successful attacker modifies or deletes persisted application data and configuration, including user accounts and business-critical records.
  • A successful attacker crashes or disables the PeopleSoft Enterprise PT PeopleTools service, causing a full denial of service for dependent business processes.
  • Full system takeover means the attacker can pivot to other internal systems reachable from the compromised PeopleSoft host.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35278, the recommended immediate actions are to apply network-policy isolation to restrict HTTP access to the Performance Monitor component to trusted source IP ranges only, enforce egress filtering on the affected host to limit lateral-movement potential, and disable the Performance Monitor feature via application configuration if it is not operationally required. HarborGuard continuously re-evaluates the advisory on every ingest cycle; the moment Oracle ships a patched release, a rebuilt image at the fix version becomes available, and customers with auto-remediation enabled will receive a rebuild, an automated regression test run, and a PR opened against affected workloads automatically. The CVE is flagged at Critical priority in all HarborGuard environments where images containing PeopleSoft Enterprise PT PeopleTools 8.61 or 8.62 layers are detected.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / PeopleSoft Enterprise PT PeopleTools
    8.61 · 8.62
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References