HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35289Published Modified CNA oracle

CVE-2026-35289: Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package)

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a high-severity vulnerability in the Deployment Package component of Oracle PeopleSoft Enterprise PT PeopleTools, affecting versions 8.61 and 8.62. An unauthenticated attacker with network access over HTTPS can reach the vulnerable component without any credentials, though exploitation requires meeting certain difficult environmental conditions derived from the high attack complexity rating. Successful exploitation results in full takeover of the PeopleTools instance, including complete loss of confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard tracks the Oracle advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle PeopleTools components. Any image running an affected version (8.61 or 8.62) of the Deployment Package component is flagged automatically as new scan cycles complete.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 HIGH and weights it against each environment's compliance policy to determine breach-of-threshold routing. The resulting alert is dispatched to the appropriate team inbox inside each customer organization based on their configured ownership rules.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without requiring manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the PeopleTools Deployment Package service over the network via HTTPS; there is no local-only or adjacent-only restriction.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable endpoint is accessible to unauthenticated network requests.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker interacts directly with the service.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must meet specific environmental conditions or timing constraints beyond simple request crafting before the attack succeeds reliably.

Blast Radius

  • A successful attacker reads all data accessible to the PeopleTools application, including HR records, credentials, and session tokens stored within the system.
  • A successful attacker modifies or deletes persisted application data and configuration, including deployment packages and associated metadata.
  • A successful attacker crashes or renders the PeopleTools service unavailable, disrupting dependent business processes.
  • Full system takeover is achievable, giving the attacker persistent control over the affected PeopleTools instance and any resources it can reach.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35289, the platform monitors the Oracle advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix version is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the meantime, compensating controls worth evaluating include restricting network-policy access to the PeopleTools HTTPS endpoint to known-good source CIDRs, applying egress filtering to limit what the PeopleTools service can reach if compromised, and disabling or isolating the Deployment Package component where it is not operationally required. HarborGuard will surface the fix-version rebuild as soon as it is available without requiring any manual action from the customer team.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / PeopleSoft Enterprise PT PeopleTools
    8.61 · 8.62
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References