This vulnerability affects Oracle PeopleSoft Enterprise FIN Project Costing version 9.2 and allows a low privileged attacker with network access via HTTP to compromise the system, resulting in unauthorized access to critical or all accessible data within the product. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality impact without affecting integrity or availability. The vulnerability is publicly disclosed and included in Oracle's April 2026 Critical Patch Update advisory, which addresses multiple vulnerabilities across Oracle products. The advisory recommends applying the Critical Patch Update without delay but does not explicitly confirm a dedicated patch for this specific CVE within the advisory text provided.

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive or critical data within PeopleSoft Enterprise FIN Project Costing version 9.2. The confidentiality of data is highly impacted, but there is no direct impact on data integrity or system availability. No known exploits are reported in the wild, but the vulnerability is considered easily exploitable by an attacker with network access and low privileges.

Oracle strongly recommends applying the April 2026 Critical Patch Update, which includes security patches for multiple vulnerabilities across Oracle products. Although the vendor advisory does not explicitly confirm a dedicated patch for CVE-2026-34306, the Critical Patch Update is the authoritative source for remediation. Organizations should promptly review the advisory at https://www.oracle.com/security-alerts/cpuapr2026.html and apply all relevant patches to their PeopleSoft Enterprise FIN Project Costing installations. Maintaining up-to-date software versions and applying Oracle's Critical Patch Updates without delay is the primary mitigation strategy.