CVE-2026-35273
Published: 11 June 2026
Summary
CVE-2026-35273 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Peoplesoft Enterprise Peopletools. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2026-35273 is a critical vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The flaw, tracked under CWE-306, permits unauthenticated remote attackers to compromise the affected system through HTTP requests, resulting in complete takeover with impacts to confidentiality, integrity, and availability. It carries a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can exploit the issue without credentials or user interaction to gain full control of the PeopleSoft instance. The low attack complexity and network-exposed vector make it straightforward to leverage in internet-facing deployments.
Oracle's security advisory at oracle.com/security-alerts/alert-cve-2026-35273.html addresses remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and the need for prioritized patching.
The EPSS score has reached 0.2221 with no subsequent increase from that level.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-36199
Vulnerability details
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful…
more
attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 12 June 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-306 missing auth on network-exposed HTTP endpoint in PeopleSoft directly enables unauthenticated remote code execution / full compromise of a public-facing application.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the HTTP-accessible Updates Environment Management component before any actions are permitted.
Requires identification and authentication of non-organizational users before granting access to the network-exposed PeopleSoft service.
Mandates timely application of vendor patches to eliminate the missing-authentication flaw in versions 8.61 and 8.62.