CVE-2026-35273: Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability

CVE-2026-35273 is a Severity not scored in source feed flaw in Oracle PeopleSoft Enterprise PeopleTools. Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools. It is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-06-12), meaning it is being actively exploited, including in ransomware campaigns. The fix: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.

Vulnerability details

Field	Value
CVE ID	CVE-2026-35273
Vulnerability	Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Vendor / product	Oracle — PeopleSoft Enterprise PeopleTools
CVSS base score	Not in source feed
Severity	—
Weakness (CWE)	CWE-306
Added to CISA KEV	2026-06-12
CISA remediation due	2026-06-15
Known ransomware use	Known

Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.

What is the risk?

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

This vulnerability has known use in ransomware campaigns, which raises its practical urgency: exploitation has been observed as part of attacks that encrypt or exfiltrate data for extortion.

How to remediate CVE-2026-35273

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

U.S. federal civilian agencies were required to remediate this vulnerability by 2026-06-15 under CISA Binding Operational Directive 22-01. Private organizations should treat it with comparable urgency.

References

Frequently asked questions

What is CVE-2026-35273?

CVE-2026-35273 is a vulnerability in Oracle PeopleSoft Enterprise PeopleTools: Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

How severe is CVE-2026-35273?

The CISA KEV catalog does not publish a CVSS base score for this entry. Check the NVD record for the official score. Its presence in the KEV catalog means it is confirmed to be exploited in the wild.

Is CVE-2026-35273 being exploited in the wild?

Yes. It appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, which only lists vulnerabilities with reliable evidence of active exploitation. It was added on 2026-06-12. It has known use in ransomware campaigns.

How do I fix CVE-2026-35273?

Related vulnerabilities

Last updated: 2026-06-13