This vulnerability (CVE-2026-22006) affects Oracle PeopleSoft Enterprise HCM Human Resources 9.2, in the Employee Snapshot component. It permits a low privileged attacker with network access via HTTP to gain unauthorized read and write access to certain data within the product. Exploitation requires user interaction from a third party, and successful attacks may affect other Oracle products due to scope change. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, required user interaction, scope change, and low confidentiality and integrity impacts. Oracle's April 2026 Critical Patch Update advisory references many patches but does not explicitly confirm a fix for this vulnerability in the provided excerpt. The product is not a cloud service, and no known exploits are currently reported.

Successful exploitation can lead to unauthorized reading and modification (update, insert, delete) of some data accessible through PeopleSoft Enterprise HCM Human Resources 9.2. The attack requires human interaction from a user other than the attacker and may have broader impact on other Oracle products due to scope change. There is no impact on availability. No known exploits in the wild have been reported.

Oracle's April 2026 Critical Patch Update advisory includes numerous security patches across Oracle products. However, the provided advisory content does not explicitly confirm the availability of a patch or official fix for CVE-2026-22006. Customers should consult the Oracle Critical Patch Update advisory and associated patch availability documentation at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation status and apply relevant patches promptly if available. Since this is not a cloud service, remediation depends on customer patching. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance.