CVE-2026-34295 affects Oracle PeopleSoft Enterprise SCM Purchasing version 9.2 and allows a low privileged attacker with network access over HTTP to compromise the system, resulting in unauthorized access to critical or all accessible data. The vulnerability has a CVSS 3.1 score of 6.5 with a vector indicating network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. The vulnerability is included in Oracle's April 2026 Critical Patch Update advisory, which addresses numerous vulnerabilities across Oracle products. The advisory recommends applying patches promptly but does not explicitly state the patch status for this specific vulnerability. No known exploits in the wild have been reported.

Successful exploitation of this vulnerability can lead to unauthorized access to critical or all accessible data within PeopleSoft Enterprise SCM Purchasing 9.2. The confidentiality of sensitive information is at high risk, but the vulnerability does not affect data integrity or system availability. There are no reports of active exploitation in the wild.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory, which contains multiple security patches. Customers are strongly advised to review the advisory at https://www.oracle.com/security-alerts/cpuapr2026.html and apply the relevant patches promptly to mitigate this and other vulnerabilities. Patch status for this specific vulnerability is not explicitly confirmed in the advisory; therefore, customers should monitor Oracle's updates and apply Critical Patch Updates without delay. No alternative mitigations or workarounds are specified.