PeopleSoft CVE-2026-35273: unauthenticated takeover of an HR software giant
> TL;DR: PeopleSoft PeopleTools 8.61 and 8.62 expose a critical function without authentication. An attacker with plain HTTP access can go as far as full takeover. CVSS 9.8, actively exploited, added to CISA's KEV catalog on June 12, 2026 with a June 15 remediation deadline — a rare urgency signal.
The context: the HRIS of large organizations
PeopleSoft runs HR and payroll for a large share of big organizations: government agencies, universities, industrial groups. The data flowing through PeopleTools — the suite's technical layer — is exactly what we spend our time protecting at SaaS vendors: salaries, bank details, health data, performance reviews.
When Oracle publishes an out-of-cycle alert (outside its usual quarterly Critical Patch Update) and CISA gives federal agencies three days to patch, the reading is simple: attackers are exploiting this flaw while you read these lines.
The flaw: a door with no lock
CVE-2026-35273 is classified CWE-306: *Missing Authentication for Critical Function*. No subtle bypass, no broken cryptography — a critical function reachable over HTTP, without authentication, exploitable with no user interaction. Oracle describes a compromise that can result in full takeover of PeopleTools.
CVSS 9.8, the top of the spectrum: network attack, low complexity, no privileges required, total impact on confidentiality, integrity and availability.
If you operate PeopleSoft
What this flaw tells HR SaaS vendors
You don't run PeopleSoft? The lesson still applies to you, for two reasons.
First, the commercial argument. "Even Oracle" ships a critical function without authentication. The security of HR software cannot be inferred from the vendor's size or age — it has to be verified. That's precisely what your enterprise prospects have understood, and it's why security questionnaires have become systematic.
Second, the technical pattern. Missing authentication on a critical function is one of the flaws we find most often in modern SaaS — in less spectacular but equally exploitable forms: an "internal" admin endpoint reachable from the internet, a sync route called by a cron job with no verification, a payroll webhook that accepts any caller, a reporting API deployed before the auth layer.
The question to ask yourself this morning: among your critical endpoints — exports, administration, payroll sync, webhooks — which ones have you actually tested without a valid session? It's one of the first checks in our First Review, in real-world conditions, verdict in 48h.
Go further
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Payroll vendor audit: what to review first
The first areas to review in a payroll vendor: access, exports, documents, support, logs, and tenant separation.
DSN security: weak points to review in payroll software
Common blind spots around DSN-related flows: access, logs, test environments, and data reused beyond its intended scope.
The 5 most common flaws in payroll and HR software
The exposure patterns most often found in HR and payroll software: weak role separation, open exports, accessible documents, and overly chatty APIs.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.