CVE-2026-34307: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. in Oracle Corporation PeopleSoft Enterprise PeopleTools
CVE-2026-34307 is a medium severity vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8. 61-8. 62. It allows a low privileged attacker with network access via HTTP to compromise the product, requiring user interaction from a person other than the attacker. Exploitation can lead to unauthorized read, update, insert, or delete access to some PeopleSoft Enterprise PeopleTools data. The vulnerability affects confidentiality and integrity but not availability. Oracle has published a Critical Patch Update advisory that includes patches for multiple vulnerabilities, but the specific patch status for this CVE is not explicitly stated in the advisory.
AI Analysis
Technical Summary
This vulnerability exists in the Workflow component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61-8.62. It is exploitable remotely over the network with low privileges and requires user interaction. Successful exploitation results in unauthorized read and modification (update, insert, delete) of accessible PeopleSoft Enterprise PeopleTools data. The CVSS 3.1 base score is 5.4, reflecting medium severity with impacts on confidentiality and integrity. The vulnerability scope extends beyond PeopleTools to potentially impact additional Oracle products. No known exploits in the wild have been reported. Oracle’s April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this CVE.
Potential Impact
Successful exploitation can lead to unauthorized read access to some PeopleSoft Enterprise PeopleTools data and unauthorized update, insert, or delete operations on that data. This compromises confidentiality and integrity of the affected data but does not impact availability. The vulnerability requires user interaction and low privileges, increasing the attack complexity. The scope of impact may extend beyond PeopleSoft Enterprise PeopleTools to other Oracle products.
Mitigation Recommendations
Oracle’s April 2026 Critical Patch Update advisory recommends applying the latest security patches promptly. However, the advisory does not explicitly confirm a patch for CVE-2026-34307. Therefore, patch status is not yet confirmed—check the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Customers should remain on actively supported versions and apply Critical Patch Updates without delay to mitigate this and other vulnerabilities.
CVE-2026-34307: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. in Oracle Corporation PeopleSoft Enterprise PeopleTools
Description
CVE-2026-34307 is a medium severity vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8. 61-8. 62. It allows a low privileged attacker with network access via HTTP to compromise the product, requiring user interaction from a person other than the attacker. Exploitation can lead to unauthorized read, update, insert, or delete access to some PeopleSoft Enterprise PeopleTools data. The vulnerability affects confidentiality and integrity but not availability. Oracle has published a Critical Patch Update advisory that includes patches for multiple vulnerabilities, but the specific patch status for this CVE is not explicitly stated in the advisory.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the Workflow component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61-8.62. It is exploitable remotely over the network with low privileges and requires user interaction. Successful exploitation results in unauthorized read and modification (update, insert, delete) of accessible PeopleSoft Enterprise PeopleTools data. The CVSS 3.1 base score is 5.4, reflecting medium severity with impacts on confidentiality and integrity. The vulnerability scope extends beyond PeopleTools to potentially impact additional Oracle products. No known exploits in the wild have been reported. Oracle’s April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this CVE.
Potential Impact
Successful exploitation can lead to unauthorized read access to some PeopleSoft Enterprise PeopleTools data and unauthorized update, insert, or delete operations on that data. This compromises confidentiality and integrity of the affected data but does not impact availability. The vulnerability requires user interaction and low privileges, increasing the attack complexity. The scope of impact may extend beyond PeopleSoft Enterprise PeopleTools to other Oracle products.
Mitigation Recommendations
Oracle’s April 2026 Critical Patch Update advisory recommends applying the latest security patches promptly. However, the advisory does not explicitly confirm a patch for CVE-2026-34307. Therefore, patch status is not yet confirmed—check the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Customers should remain on actively supported versions and apply Critical Patch Updates without delay to mitigate this and other vulnerabilities.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-03-26T19:48:45.679Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a819fe3cd2cdf9f9b3
Added to database: 4/21/2026, 9:01:28 PM
Last enriched: 4/29/2026, 11:40:30 AM
Last updated: 6/1/2026, 6:10:10 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.