CVE-2026-34309 affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 and involves a security flaw in the product's security component. The vulnerability is exploitable over the network via HTTP by an attacker with low privileges and no user interaction required. Successful exploitation can result in unauthorized creation, deletion, or modification of critical data or full access to all data accessible through PeopleTools. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impacts with no impact on availability. Oracle's April 2026 Critical Patch Update advisory references this vulnerability as part of a large set of security patches but does not provide explicit patch details for PeopleTools in the advisory content provided.

The vulnerability allows unauthorized actors with low privileges and network access to compromise PeopleSoft Enterprise PeopleTools, potentially leading to unauthorized creation, deletion, or modification of critical data or full access to all data accessible via PeopleTools. This can severely impact data confidentiality and integrity within affected environments. There are no reports of active exploitation in the wild at this time.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory, which contains numerous security patches. Customers should promptly review and apply the April 2026 Critical Patch Update to ensure remediation of this and other vulnerabilities. Since the vendor advisory does not explicitly confirm patch availability for this specific vulnerability, customers should verify patch applicability and installation instructions in the official Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html. Maintaining up-to-date patches is critical as Oracle reports ongoing attempts to exploit vulnerabilities for which patches exist.