This vulnerability affects Oracle PeopleSoft Enterprise HCM Absence Management version 9.2. It is classified under CWE-306 (Missing Authentication for Critical Function) and allows a high privileged attacker with network access via HTTP to compromise the system. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data or full access to all data accessible by the product. The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impacts with no availability impact. Oracle's April 2026 Critical Patch Update advisory mentions multiple patches but does not explicitly confirm a patch for this vulnerability. Customers are advised to apply Critical Patch Updates promptly to mitigate risks.

The vulnerability enables a high privileged attacker with network access to gain unauthorized creation, deletion, or modification access to critical data within PeopleSoft Enterprise HCM Absence Management 9.2. This compromises confidentiality and integrity of the data but does not affect availability. There are no known exploits in the wild currently reported. The medium severity rating reflects the requirement for high privileges to exploit and the significant impact on data confidentiality and integrity.

Patch status is not yet confirmed for CVE-2026-34266. Oracle's April 2026 Critical Patch Update advisory does not explicitly state a patch for this specific vulnerability. Customers should review the advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest patch availability and apply all relevant Critical Patch Updates promptly. Oracle strongly recommends staying on actively supported versions and applying security patches without delay to mitigate exploitation risks.