External risk intelligence

Oracle PeopleSoft PT PeopleTools Authentication Bypass Leads to Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35278

A critical vulnerability in Oracle PeopleSoft's Performance Monitor component allows unauthenticated attackers with network access to take over the affected system. This issue presents a significant risk to confidentiality, integrity, and availability.

Missing Authentication

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

The vulnerability affects a PeopleTools component that is reachable via HTTP. While such enterprise management and performance monitoring components are typically deployed within internal corporate networks and protected by firewalls, they are sometimes misconfigured or intentionally exposed, making internet reachability possible but not the standard deployment pattern.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle's PeopleSoft Enterprise PT PeopleTools, impacting systems used for performance monitoring. This issue is easily exploitable by unauthenticated attackers over the network, potentially leading to a complete takeover of the affected PeopleSoft environment.

  • Unauthenticated network access can compromise PeopleSoft.
  • This critical flaw demands attention to system exposure.
  • Confirm relevance and assess potential impact.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by targeting the Performance Monitor component within PeopleSoft Enterprise PT PeopleTools, which is accessible over the network via HTTP. Since the vulnerability is easily exploitable by an unauthenticated attacker, they could gain complete control of the affected system, leading to significant data compromise and operational disruption.

  • Network access required.
  • Performance Monitor component trigger.
  • Full system takeover risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access to compromise PeopleSoft Enterprise PT PeopleTools, potentially leading to a complete takeover of the system. The attack targets the Performance Monitor component and can affect confidentiality, integrity, and availability of the system.

  • System takeover of PeopleSoft Enterprise PT PeopleTools.
  • Unauthenticated network access via HTTP.
  • Full compromise of the PeopleSoft system.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Oracle PeopleSoft's Performance Monitor component, affecting versions 8.61 and 8.62. The first step for relevant teams, likely including application owners, platform administrators, and security teams, is to identify all instances of the affected PeopleSoft environment. Confirming the business criticality and network exposure of these instances will inform prioritization for remediation, which may involve coordinating with Oracle or implementing temporary risk reduction measures.

  • Application owners should lead remediation efforts.
  • Verify reachability and business criticality first.
  • Plan remediation based on exposure and risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35278 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle PeopleSoft Enterprise PT PeopleTools allows an unauthenticated attacker to take over the system, which would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle PeopleSoft PT PeopleTools?

PeopleTools is the underlying technical foundation and development environment for Oracle PeopleSoft applications. It provides the core framework for building, deploying, and managing enterprise business software. The specific component affected here, the Performance Monitor, is a tool used by administrators to track system health, monitor performance metrics, and troubleshoot bottlenecks across their PeopleSoft environment.

What does CWE-306 mean for CVE-2026-35278?

This vulnerability is classified as CWE-306, which refers to a Missing Authentication for Critical Function. In plain terms, it means the software performs sensitive operations without verifying the identity of the user. Because this check is absent, an unauthorized person can interact with the Performance Monitor component directly, effectively tricking the system into granting them control without needing a username or password.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specifically crafted HTTP requests to the Performance Monitor component over the network. The vulnerability does not require any prior authentication or user interaction to succeed. It is important to note that internal background tasks or non-HTTP system processes that do not interact with the Performance Monitor web interface are not the intended target of this specific network-based attack.

Do I need to worry if my system is internal?

While Halo Surface Signal notes that Performance Monitor components are typically kept within internal networks, you should not assume safety based on network location alone. If your PeopleSoft instance is reachable via HTTP—even if restricted to a private network—it remains at risk if an attacker gains a foothold elsewhere in that segment. Evaluate whether your architecture inadvertently allows access to this component beyond its intended administrative scope.

What should I do first to respond to CVE-2026-35278?

Begin by identifying all deployments of PeopleSoft versions 8.61 and 8.62 within your organization. Once you have a complete inventory, verify which of these instances are active and determine their current network reachability. Coordinate with your application owners and platform administrators to assess the business criticality of these systems and prepare for maintenance windows to apply the necessary security updates from Oracle.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished