Login Sign Up

CVE-2026-21971

5.4 MEDIUM

📋 TL;DR

This vulnerability in Oracle PeopleSoft Enterprise SCM Purchasing allows authenticated attackers with low privileges to modify or delete some purchasing data and read limited information via HTTP requests. It affects PeopleSoft Enterprise SCM Purchasing version 9.2, potentially impacting organizations using this procurement system.

💻 Affected Systems

Products:
  • Oracle PeopleSoft Enterprise SCM Purchasing
Versions: 9.2
Operating Systems: Any OS running PeopleSoft
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Purchasing component within PeopleSoft Enterprise SCM. Requires HTTP access to the PeopleSoft application.

📦 What is this software?

Peoplesoft Supply Chain Management Purchasing by Oracle

View all CVEs affecting Peoplesoft Supply Chain Management Purchasing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate purchasing data, create fraudulent orders, modify vendor information, or exfiltrate sensitive procurement data, potentially leading to financial loss or supply chain disruption.

🟠

Likely Case

Low-privileged users or compromised accounts could modify purchase orders, change vendor details, or access restricted purchasing information they shouldn't see.

🟢

If Mitigated

With proper access controls and network segmentation, impact would be limited to authorized users making unauthorized changes within their assigned business units.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but only low privileges. Attack vector is straightforward via HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Oracle Critical Patch Update for January 2026

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2026.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle PeopleSoft patching procedures. 3. Restart the PeopleSoft application server. 4. Test purchasing functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict HTTP access to PeopleSoft Purchasing application to only authorized users and networks

Privilege Reduction

all

Review and reduce user privileges in PeopleSoft Purchasing to minimum required levels

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate PeopleSoft Purchasing from untrusted networks
  • Enhance monitoring of purchasing data modifications and implement approval workflows for critical changes

🔍 How to Verify

Check if Vulnerable:

Check PeopleTools version and verify if running PeopleSoft Enterprise SCM Purchasing 9.2 without the January 2026 Oracle patch

Check Version:

Check PeopleTools version in PeopleSoft application or via PSADMIN utility

Verify Fix Applied:

Verify patch application through PeopleSoft Change Assistant and confirm version in Oracle documentation

📡 Detection & Monitoring

Log Indicators:

  • Unusual pattern of purchasing data modifications
  • Multiple failed authorization attempts followed by successful purchasing transactions
  • User accounts accessing purchasing functions outside normal business hours

Network Indicators:

  • HTTP requests to purchasing endpoints from unusual IP addresses
  • Burst of purchasing-related API calls

SIEM Query:

source="peoplesoft" AND (event_type="purchase_modify" OR event_type="vendor_update") AND user_privilege="low" AND result="success"

📊 Metadata

CVE ID: CVE-2026-21971
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score: 0.03% exploit probability (6.6th percentile)
Published: January 20, 2026
Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON