This vulnerability affects Oracle PeopleSoft Enterprise PT PeopleTools Application Server versions 8.61 and 8.62. It is exploitable remotely over HTTP without authentication but is considered difficult to exploit. Successful exploitation can lead to full compromise (takeover) of the PeopleSoft Enterprise PT PeopleTools environment, impacting confidentiality, integrity, and availability. The CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network attack vector, high attack complexity, no privileges or user interaction required, and high impact on all security properties. Oracle included this vulnerability in its June 2026 Critical Security Patch Update advisory and strongly recommends applying the update. No direct patch link for this specific CVE is provided, but the advisory covers multiple products and vulnerabilities including this one.

An unauthenticated attacker with network access via HTTP can exploit this vulnerability to gain full control over the PeopleSoft Enterprise PT PeopleTools environment. This results in complete compromise of confidentiality, integrity, and availability of the affected system. The vulnerability is rated high severity with a CVSS score of 8.1. There are no known exploits in the wild at the time of publication.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update, which includes patches addressing CVE-2026-35276 among others. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation and by removing unnecessary privileges or access to vulnerable components from users. These mitigations may impact application functionality. Customers should prioritize patching to fully remediate the vulnerability.