Oracle PeopleSoft SSRF Flaw Requires No Auth, Scores 9.3 CVSS

Oracle has patched a critical server-side request forgery (SSRF) vulnerability in PeopleSoft, tracked as CVE-2026-35273, carrying a CVSS score of 9.3. The flaw was publicly disclosed on June 24, 2026, following coordinated disclosure to Oracle on June 10.

Vulnerability Details

The flaw resides in the HttpListeningConnector class within Oracle PeopleSoft. The root cause is insufficient validation of a URI before the application accesses the requested resource. Because no authentication is required to trigger the issue, any remote attacker with network access to the affected installation can initiate arbitrary outbound requests from the server.

The vulnerability is classified with a network attack vector, low attack complexity, no privileges required, and no user interaction. The scope is marked as changed, reflecting the potential for the server to be used as a proxy to reach internal or otherwise restricted resources.

Exploitation and Impact

While the SSRF vulnerability on its own results in high confidentiality impact and limited integrity impact, ZDI notes that an attacker can combine this flaw with additional vulnerabilities to execute arbitrary code in the context of the PeopleSoft service account. This chaining potential elevates the practical risk beyond the SSRF classification alone.

Patch and Credit

Oracle has issued a corrective update. Administrators running affected PeopleSoft installations should apply the patch referenced in Oracle’s security alert at the official advisory page. Delaying remediation on an unauthenticated, network-accessible vulnerability of this severity is inadvisable, particularly for organizations with internet-facing PeopleSoft deployments.

The vulnerability was discovered and reported by Bobby Gould and Minh Giang of TrendAI Zero Day Initiative, along with Lucas Miller of TrendAI Research.