This vulnerability in Oracle PeopleSoft Enterprise PeopleTools Workflow component affects versions 8.61-8.62 and allows a low privileged attacker with network access via HTTP to perform unauthorized data operations (read, update, insert, delete) on accessible PeopleSoft data. Exploitation requires user interaction from a person other than the attacker and may impact additional products beyond PeopleTools. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and limited confidentiality and integrity impacts. The vulnerability is documented in Oracle's April 2026 Critical Patch Update advisory, which includes many patches but does not explicitly confirm a patch for this CVE. No known active exploitation has been reported.

Successful exploitation can result in unauthorized read access to some PeopleSoft Enterprise PeopleTools data and unauthorized update, insert, or delete operations on accessible data. The scope of impact may extend beyond PeopleTools to additional Oracle products. The CVSS score of 5.4 indicates a medium severity with confidentiality and integrity impacts but no availability impact. No known exploits in the wild have been reported, reducing immediate risk.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. However, the advisory content provided does not explicitly confirm patch availability or remediation status for CVE-2026-34307. Customers are strongly advised to review the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest patch information and apply all relevant patches promptly. Until official patches or mitigations are confirmed, organizations should consider risk mitigation strategies consistent with their environment and monitor Oracle advisories for updates. No vendor statement indicates that no action is required or that the issue is already mitigated.