{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34307", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.679Z", "datePublished": "2026-04-21T20:35:34.954Z", "dateUpdated": "2026-04-21T20:35:34.954Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:34.954Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "PeopleSoft Enterprise PeopleTools", "versions": [{"version": "8.61", "status": "affected", "lessThanOrEqual": "8.62", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.61", "versionEndIncluding": "8.62"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)."}], "id": "CVE-2026-34307", "lastModified": "2026-04-21T21:16:36.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:36.117", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.61,8.62]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PeopleSoft Enterprise PeopleTools", "source": "cna", "vendor": "Oracle Corporation"}, "product": "peoplesoft_enterprise_peopletools", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:55:12.050656+00:00", "value": {"mitigation_remediation": ["Deploy the latest PeopleSoft Enterprise PeopleTools patch that resolves the workflow access\u2011control flaw as released by Oracle", "Configure network firewalls to restrict direct HTTP access to the PeopleSoft application, allowing only trusted IP ranges to connect to the workflow component", "Implement workflow monitoring and logging to detect unauthorized process initiation or data modification, and alert administrators"], "summary": {"action": "Apply Patch", "impact": "unauthorized read, update, or delete of PeopleSoft data via low\u2011privileged HTTP access"}, "threat_synthesis": {"affected_systems": "Oracle Corporation PeopleSoft Enterprise PeopleTools, specifically the Workflow component. Versions 8.61 through 8.62 are known to be affected.", "description_and_impact": "An access\u2011control flaw in the Corporate Workflow component of Oracle PeopleSoft Enterprise PeopleTools allows a low\u2011privileged attacker who can reach the application over HTTP to modify or read data that should be restricted. The vulnerability requires the attacker to gain a remote, network\u2011level connection, and a human who is not the attacker must interact with the system to enable the attack. Successful exploitation results in unauthorized insert, update, or delete operations, as well as unauthorized read access to a subset of data, thereby compromising the confidentiality and integrity of the affected data. The flaw is categorized as a moderate\u2011severity error because it does not directly give full system takeover but can undermine business processes and data trust.", "risk_and_exploitability": "The CVSS v3.1 score of 5.4 indicates moderate risk with low complexity and low privilege set. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers need network access to the PeopleSoft application over HTTP and will need a separate user to interact with the workflow to activate the flaw. Although the risk is moderate, the scope change can allow the impact to extend to other connected products, and therefore the overall risk warrants timely remediation."}}}}, "created": "2026-04-22T03:15:06.281197+00:00", "title": "Low\u2011Privilege HTTP Data Modification in Oracle PeopleSoft Workflow", "updated": "2026-04-22T05:00:09.530779+00:00", "vendors": ["oracle", "oracle$PRODUCT$peoplesoft_enterprise_peopletools"], "weaknesses": ["CWE-284", "CWE-285"]}