CVE-2026-34277 is a medium severity vulnerability in Oracle PeopleSoft Enterprise PeopleTools (versions 8.61-8.62) Fluid Core component. It allows a high privileged attacker with network access via HTTP to perform unauthorized data modification (update, insert, delete), unauthorized read access to some data, and cause a partial denial of service. The vulnerability impacts confidentiality, integrity, and availability with a CVSS 3.1 score of 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L). The scope of impact may extend beyond PeopleTools to additional products. Oracle’s April 2026 Critical Patch Update advisory references this vulnerability but does not explicitly confirm patch availability for it. No known exploits in the wild have been reported.

Successful exploitation can lead to unauthorized modification (update, insert, delete) and unauthorized read access to some PeopleSoft Enterprise PeopleTools data, as well as partial denial of service conditions. The vulnerability affects confidentiality, integrity, and availability of the affected system. The attacker requires high privileges and network access via HTTP. The scope of impact may extend beyond PeopleTools to other Oracle products. No known active exploitation has been reported.

Oracle’s April 2026 Critical Patch Update advisory includes security patches addressing multiple vulnerabilities, including this one. However, the advisory does not explicitly confirm patch availability or provide a specific fix for CVE-2026-34277. Customers are strongly advised to remain on actively supported versions and apply Oracle Critical Patch Updates promptly when available. Patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. No vendor advisory states that no action is required or that the issue is already mitigated.