CVE-2026-22006 affects Oracle PeopleSoft Enterprise HCM Human Resources version 9.2 in the Employee Snapshot component. It is an easily exploitable vulnerability that requires network access via HTTP and low privileges, but also requires user interaction from someone other than the attacker. Exploitation can result in unauthorized read and modification (update, insert, delete) of accessible data within the affected PeopleSoft product. The vulnerability impacts confidentiality and integrity but not availability, with a CVSS 3.1 score of 5.4. Oracle has addressed this vulnerability as part of its April 2026 Critical Patch Update, which includes hundreds of patches across Oracle products. The advisory strongly recommends applying the Critical Patch Update promptly to mitigate such vulnerabilities. No direct exploit code or active exploitation has been reported.

Successful exploitation of this vulnerability can lead to unauthorized read access and unauthorized update, insert, or delete operations on some data accessible within PeopleSoft Enterprise HCM Human Resources. This compromises the confidentiality and integrity of the affected data. The vulnerability may also impact additional Oracle products due to scope change. There is no impact on system availability. No known exploits in the wild have been reported.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. The vendor advisory does not explicitly state the patch availability status for this specific vulnerability, but the Critical Patch Update is the official remediation mechanism. Organizations should verify patch applicability for their PeopleSoft Enterprise HCM Human Resources 9.2 installations and apply the update without delay. There is no indication that any other mitigation or workaround is available or required.