Back to blog
CVEHR Techpayroll

PeopleSoft CVE-2026-35273: unauthenticated takeover of an HR software giant

Published on 2026-07-066 min readCleanIssue

> TL;DR: PeopleSoft PeopleTools 8.61 and 8.62 expose a critical function without authentication. An attacker with plain HTTP access can go as far as full takeover. CVSS 9.8, actively exploited, added to CISA's KEV catalog on June 12, 2026 with a June 15 remediation deadline — a rare urgency signal.

The context: the HRIS of large organizations

PeopleSoft runs HR and payroll for a large share of big organizations: government agencies, universities, industrial groups. The data flowing through PeopleTools — the suite's technical layer — is exactly what we spend our time protecting at SaaS vendors: salaries, bank details, health data, performance reviews.

When Oracle publishes an out-of-cycle alert (outside its usual quarterly Critical Patch Update) and CISA gives federal agencies three days to patch, the reading is simple: attackers are exploiting this flaw while you read these lines.

The flaw: a door with no lock

CVE-2026-35273 is classified CWE-306: *Missing Authentication for Critical Function*. No subtle bypass, no broken cryptography — a critical function reachable over HTTP, without authentication, exploitable with no user interaction. Oracle describes a compromise that can result in full takeover of PeopleTools.

CVSS 9.8, the top of the spectrum: network attack, low complexity, no privileges required, total impact on confidentiality, integrity and availability.

If you operate PeopleSoft

  • Apply the fix from the Oracle alert immediately (PeopleTools 8.61 and 8.62 affected)
  • Until patched: restrict HTTP access to PeopleTools to internal networks and VPN — this layer has no business being exposed to the internet
  • Hunt for indicators of compromise predating the patch: created accounts, scheduled tasks, unusual access to payroll tables
  • Treat the data as potentially exfiltrated if the instance was exposed — with everything that implies for GDPR breach notification (72 hours if the risk is confirmed)
  • What this flaw tells HR SaaS vendors

    You don't run PeopleSoft? The lesson still applies to you, for two reasons.

    First, the commercial argument. "Even Oracle" ships a critical function without authentication. The security of HR software cannot be inferred from the vendor's size or age — it has to be verified. That's precisely what your enterprise prospects have understood, and it's why security questionnaires have become systematic.

    Second, the technical pattern. Missing authentication on a critical function is one of the flaws we find most often in modern SaaS — in less spectacular but equally exploitable forms: an "internal" admin endpoint reachable from the internet, a sync route called by a cron job with no verification, a payroll webhook that accepts any caller, a reporting API deployed before the auth layer.

    The question to ask yourself this morning: among your critical endpoints — exports, administration, payroll sync, webhooks — which ones have you actually tested without a valid session? It's one of the first checks in our First Review, in real-world conditions, verdict in 48h.

    Go further

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    Sources

    Written by CleanIssue
    Reviewed on 2026-07-06

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit