HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46851Published Modified CNA oracle

CVE-2026-46851: Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security)

Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2.38. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise CS Campus Community. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated network-exploitable vulnerability exists in the Security component of Oracle PeopleSoft Enterprise CS Campus Community version 9.2.38. An attacker with HTTP access to the service can exploit this without any credentials or victim interaction, though the attack requires meeting specific environmental conditions (AC:H). Successful exploitation results in full takeover of the PeopleSoft Enterprise CS Campus Community instance, affecting confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-46851 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package PeopleSoft Enterprise CS Campus Community 9.2.38. Any image in a connected registry or CI pipeline that contains an affected artifact will surface a finding automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and applies per-environment compliance policy weighting to determine priority routing. Each organization's configured policies govern which team inbox or ticketing integration receives the alert, ensuring the right engineering or security team is notified without manual triage overhead.

Available
Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the PeopleSoft service over the network via HTTP; there is no requirement for local or physical access.

  • AuthenticationNot required

    No credentials of any privilege level are needed; the attacker can target the service as an anonymous unauthenticated user.

  • Victim interactionNot required

    The exploit is entirely attacker-driven and does not rely on any action from a user of the affected system.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must satisfy specific environmental conditions or timing constraints beyond basic network access before the attack will succeed.

Blast Radius

  • A successful attacker achieves full takeover of the PeopleSoft Enterprise CS Campus Community instance, reading all data the application can access including student records, personal information, and session tokens.
  • The attacker can write or modify persisted application data, including enrollment records, user account configurations, and security settings.
  • The attacker can crash or render the application unavailable, disrupting campus community services for all end users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-46851 at this time, the recommended posture is to apply compensating controls while monitoring for patch availability. HarborGuard surfaces the finding in each environment where an affected image is present, enabling teams to act on network-policy isolation (restricting HTTP access to the PeopleSoft service to known IP ranges), egress filtering, and WAF-layer controls that raise the bar for the environmental conditions this high-complexity exploit requires. HarborGuard re-checks the Oracle advisory on every ingest cycle; the moment Oracle publishes a fix for version 9.2.38, a patched-image rebuild becomes available, and for customers with auto-remediation enabled, HarborGuard initiates the rebuild, runs regression tests, and opens a PR against affected workloads automatically. Where compliance policy permits this auto-remediation flow, median time from patch availability to a merged PR for HIGH-severity issues is around 90 minutes.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / PeopleSoft Enterprise CS Campus Community
    9.2.38
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References