CVE-2026-34309
Published: 21 April 2026
Summary
CVE-2026-34309 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Peoplesoft Enterprise Peopletools. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-34309 by requiring timely patching of the specific flaw in PeopleSoft Enterprise PeopleTools as advised in the Oracle Critical Patch Update.
Enforces approved authorizations to prevent low-privileged attackers from gaining unauthorized create, delete, modify, or read access to critical PeopleTools data via improper access control.
Limits damage from low-privileged exploitation by ensuring accounts have only necessary privileges, reducing the scope of unauthorized data access and modification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an improper access control flaw in a network-accessible (HTTP) web component of PeopleSoft, allowing low-privileged authenticated attackers to perform unauthorized data access and modification; directly enables exploitation of public-facing applications (T1190) and privilege escalation via software vulnerability (T1068).
NVD Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this…
more
vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2026-34309 is a vulnerability in the Security component of Oracle PeopleSoft Enterprise PeopleTools, part of the Oracle PeopleSoft product. Affected versions include 8.61 through 8.62. Classified under CWE-284 (Improper Access Control), it carries a CVSS 3.1 base score of 8.1 (vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), with high impacts to confidentiality and integrity but no availability impact. The issue was published on April 21, 2026.
A low-privileged attacker with network access via HTTP can easily exploit this vulnerability to compromise PeopleSoft Enterprise PeopleTools. Successful exploitation enables unauthorized creation, deletion, or modification of critical data or all accessible PeopleTools data, as well as unauthorized access to critical data or complete access to all PeopleTools accessible data.
For mitigation details, refer to the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)