CVE-2026-35271 is a vulnerability in Oracle PeopleSoft Enterprise PT PeopleTools (component: Weblogic) versions 8.61 and 8.62. It allows an unauthenticated attacker with network access via HTTP to compromise the product, potentially leading to unauthorized creation, deletion, or modification of critical data or complete access to all accessible data within PeopleTools. The vulnerability has a CVSS 3.1 base score of 8.7, indicating high severity, with impacts on confidentiality and integrity. The vulnerability may also affect additional Oracle products due to scope change. Oracle has included patches for this vulnerability in its June 2026 Critical Security Patch Update and strongly advises customers to apply these patches without delay.

Successful exploitation of this vulnerability can lead to unauthorized creation, deletion, or modification of critical data within PeopleSoft Enterprise PT PeopleTools, as well as unauthorized access to all accessible data. This compromises the confidentiality and integrity of the affected systems. The vulnerability is difficult to exploit but does not require authentication, increasing the risk surface. The scope of impact may extend beyond PeopleTools to other Oracle products.

Oracle has released patches for CVE-2026-35271 as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly to mitigate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges or access to vulnerable packages from users. However, these workarounds may impact application functionality. Patch status is confirmed by Oracle's advisory, and no alternative fixes are indicated.