Oracle has patched a remote code execution vulnerability in PeopleSoft, tracked as CVE-2026-35273, that stems from unsafe deserialization of user-supplied data within the HubMBeanPersistance method. The Zero Day Initiative published its advisory on June 24, 2026, following coordinated disclosure that began on June 10.
Vulnerability Details
The flaw carries a CVSS score of 7.5 and is classified as a network-exploitable vulnerability with high complexity. While authentication is nominally required to reach the affected code path, the advisory notes that the existing authentication mechanism can be bypassed, effectively lowering the practical barrier for exploitation.
Once an attacker clears that hurdle, the lack of proper validation on user-supplied input allows untrusted data to be deserialized. Successful exploitation results in arbitrary code execution running in the context of the PeopleSoft service account, which typically carries elevated privileges within enterprise deployments.
Impact and Scope
PeopleSoft is widely deployed in large enterprises and public-sector organizations for ERP, HR, and financial management. A compromised service account in such environments can provide an attacker with access to sensitive personnel records, financial data, and backend database systems.
The confidentiality, integrity, and availability impact ratings are all listed as high, reflecting the potential for significant damage if the vulnerability is exploited in a production environment.
Remediation
Oracle has issued a patch and published additional guidance at its security alert page for CVE-2026-35273. Administrators running affected PeopleSoft installations should apply the update promptly, particularly given that the authentication bypass reduces reliance on perimeter controls as a compensating measure.
The vulnerability was discovered and reported by Bobby Gould and Minh Giang of TrendAI Zero Day Initiative, along with Lucas Miller of TrendAI Research.