Introduction
Oracle issued a rare out-of-cycle Security Alert on June 10, 2026 for a CVSS 9.8 unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools, a move Oracle reserves for flaws it considers too dangerous to wait for the next quarterly patch cycle. For the thousands of enterprises running PeopleSoft to manage payroll, HR, financials, and student records, CVE-2026-35273 represents a direct path from the network to full system compromise with no credentials required.
Technical Information
Vulnerability Overview
CVE-2026-35273 affects the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. This component is responsible for managing environment configuration and update deployment across PeopleSoft instances. Critically, it exposes HTTP interfaces that can be reached without authentication, which forms the basis of this vulnerability.
Oracle's advisory explicitly states that successful exploitation "may result in remote code execution," and the NVD description confirms that attacks "can result in takeover of PeopleSoft Enterprise PeopleTools."
CVSS v3.1 Scoring Breakdown
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H breaks down as follows:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over HTTP |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Unchanged | Impact confined to the vulnerable component |
| Confidentiality | High | Total information disclosure |
| Integrity | High | Total system compromise |
| Availability | High | Total denial of service possible |
This combination of metrics represents a worst case network vulnerability. An unauthenticated attacker can send a crafted HTTP request to compromise the system with no barriers to exploitation.
Probable Root Cause: Java Deserialization
While Oracle does not publicly disclose the technical internals of its vulnerabilities, the advisory references the JEP 290 Reference Blocklist Filter as an additional resource for managing related deserialization risks. JEP 290 (Filter Incoming Serialization Data) is a Java Enhancement Proposal that provides a mechanism for validating incoming serialized objects before they are deserialized, specifying which classes are acceptable and which should be rejected.
This reference strongly suggests the vulnerability involves a Java deserialization attack vector. This class of vulnerability has been historically devastating in Oracle middleware products, particularly those built on WebLogic and Tuxedo, both of which underpin PeopleSoft's architecture.
PeopleSoft Architecture and Attack Surface
PeopleSoft uses a three tier Pure Internet Architecture (PIA):
- Web server tier: Oracle WebLogic Server
- Application server tier: Oracle Tuxedo
- Database tier: Oracle Database
The PeopleTools layer spans all three tiers and has historically been a high value attack surface. The Updates Environment Management component sits within this architecture and, based on the vulnerability characteristics, appears to accept serialized Java objects over HTTP without proper authentication or input validation.
Attack Flow
Based on the available technical details, the likely exploitation path is:
- An attacker identifies an internet facing or network accessible PeopleSoft instance (common for employee self service portals).
- The attacker sends a crafted HTTP request to the Updates Environment Management component's endpoint.
- The request contains a malicious serialized Java object that bypasses any existing deserialization filters.
- The PeopleSoft application server deserializes the object, triggering arbitrary code execution in the context of the application server process.
- The attacker gains full control over the PeopleSoft instance, including access to all managed data (payroll, HR records, financial data) and the ability to pivot to connected database and application tiers.
No authentication is required at any step. No user interaction is needed. The attack complexity is low.
Escalation Pattern in PeopleTools Vulnerabilities
CVE-2026-35273 represents a notable escalation in the PeopleTools vulnerability landscape. Recent CVEs affecting the same versions (8.61 and 8.62) have progressively lowered the authentication barrier:
| CVE ID | Component | Privileges Required | CVSS |
|---|---|---|---|
| CVE-2025-30697 | Panel Processor | Low | Not specified |
| CVE-2025-53061 | Not specified | High | Not specified |
| CVE-2025-61750 | Not specified | Low | Not specified |
| CVE-2026-34307 | Workflow | Low | Not specified |
| CVE-2026-35273 | Updates Environment Mgmt | None | 9.8 |
The shift from low privileged or high privileged exploitation to fully unauthenticated exploitation is significant. It suggests either that the codebase contains multiple related vulnerability classes, or that researchers are systematically probing the same attack surfaces with increasing success.
Patch Information
Oracle addressed CVE-2026-35273 through a dedicated Security Alert released on June 10, 2026 (Revision 1). This was issued as a standalone out of band alert rather than part of a regularly scheduled Critical Patch Update, which is a strong signal of how seriously Oracle viewed the severity.
The fix applies to the two supported versions of PeopleSoft Enterprise PeopleTools: 8.61 and 8.62. Oracle published the patch under Patch Availability Document CPU187, accessible via My Oracle Support.
Key details for patch application:
- Where to get the patch: Log into My Oracle Support and navigate to Patch Availability Document CPU187.
- How to apply: PeopleTools patches are applied using Oracle's Change Assistant tool. Select Tools, Change Actions, then Update Manager, and follow the guided workflow.
- Support coverage requirement: Patches are only provided for product versions covered under Oracle's Premier Support or Extended Support phases. Organizations running older, unsupported versions of PeopleTools will not receive an official fix and must upgrade to a supported release (8.61 or 8.62) before applying the patch.
- Oracle's recommendation: Treat the implementation of this patch as a "high priority risk reduction measure" and apply it without delay.
The vulnerability was credited to three researchers: Bobby Gould and Minh Giang of TrendAI Zero Day Initiative, and Lucas Miller of TrendAI Research. The coordinated disclosure through ZDI and the resulting out of band alert underscore the real world exploitability of this flaw.
As a supplementary defense in depth measure, organizations should consider configuring JEP 290 serialization filters on PeopleSoft application server JVMs. This provides an additional layer of protection against deserialization based attacks, though it is not a replacement for the official patch. Additionally, restricting network access to PeopleSoft HTTP endpoints to authorized internal networks and VPN connections is an essential interim measure given the HTTP based attack vector.
Affected Systems and Versions
The following versions of Oracle PeopleSoft Enterprise PeopleTools are confirmed affected:
- PeopleSoft Enterprise PeopleTools 8.61
- PeopleSoft Enterprise PeopleTools 8.62
The vulnerable component is Updates Environment Management.
Oracle's advisory also notes that PeopleSoft Enterprise Applications customers may be at risk, extending the blast radius beyond the core PeopleTools product. Any PeopleSoft deployment using PeopleTools 8.61 or 8.62 with HTTP accessible Updates Environment Management endpoints is vulnerable.
Organizations running PeopleTools versions prior to 8.61 are outside the scope of the official patch but should assume they are also affected, as Oracle's advisory warns that earlier versions are likely vulnerable.
Vendor Security History
Oracle PeopleSoft has a well documented history of security vulnerabilities in its PeopleTools layer:
-
CVE-2017-3548 (2017): An XML External Entity (XXE) vulnerability in the PeopleSoftServiceListeningConnector allowed attackers to send specially crafted unauthorized XML requests processed by the XML parser.
-
PS_TOKEN and Node Password attacks (2015): Researchers at HITB demonstrated that the PS_TOKEN cookie trust mechanism and Node password could be compromised for full system access. This research was recognized in the Top 10 Web Hacking Techniques of 2012.
-
Multiple 2025 and 2026 PeopleTools CVEs: A series of vulnerabilities affecting PeopleTools 8.61 and 8.62, including CVE-2025-30697 (Panel Processor), CVE-2025-53061, CVE-2025-61750, and CVE-2026-34307 (Workflow), demonstrate ongoing security challenges in this codebase.
Oracle's quarterly Critical Patch Updates routinely address hundreds of vulnerabilities across its product portfolio. The May 2026 CPU alone addressed over 300 vulnerabilities. The increasing frequency of out of cycle Security Alerts for PeopleSoft and enterprise application vulnerabilities (including CVE-2026-21992 earlier in 2026) suggests that the standard quarterly patch cycle may not be sufficient for the pace of vulnerability discovery in Oracle's enterprise products.
From a threat actor perspective, the Cl0p ransomware group has recently exploited Oracle E-Business Suite vulnerabilities (including CVE-2025-61882) for account takeover and data exfiltration campaigns, establishing a clear precedent that sophisticated threat actors are actively targeting Oracle's enterprise application ecosystem. While no confirmed in the wild exploitation of CVE-2026-35273 has been reported as of June 11, 2026, CISA has been actively adding Oracle vulnerabilities to the Known Exploited Vulnerabilities catalog throughout June 2026, including CVE-2024-21182 (Oracle WebLogic Server) on June 1 and three additional CVEs on June 9.
The combination of trivial exploitation requirements (unauthenticated, low complexity, HTTP based), confirmed RCE impact, and active threat actor interest in Oracle products creates a narrow window for defenders to patch before exploitation begins.
References
- NVD: CVE-2026-35273
- Oracle Security Alert Advisory: CVE-2026-35273
- Oracle Security Blog: Security Alert CVE-2026-35273 Released
- Oracle Critical Patch Updates and Security Alerts
- Oracle Critical Security Patch Update Advisory: May 2026
- Oracle Security Alert Advisory: CVE-2026-21992
- Rublon: Oracle PeopleSoft Security: Architecture, Threats and Patch History
- HITB: Oracle PeopleSoft Applications are Under Attack (Whitepaper)
- Halcyon: Cl0p Abuses Oracle E-Business Suite for Account Takeover
- JEP 290: Filter Incoming Serialization Data
- Oracle Java Serialization Filtering Documentation
- NVD: CVE-2026-34307
- NVD: CVE-2025-53061
- NVD: CVE-2025-61750
- CISA Known Exploited Vulnerabilities Catalog
- CISA: Adds Three Known Exploited Vulnerabilities to Catalog (June 9, 2026)
- Trend Micro Threat Encyclopedia: 26-025 (June 9, 2026)
- stack.watch: Oracle PeopleSoft Enterprise PeopleTools
- Exploit-DB: Oracle PeopleSoft XML Webapps
- Oracle: Using Change Assistant to Apply PeopleTools Patch
- My Oracle Support



