Critical SSRF in Oracle PeopleSoft (CVE‑2026‑35273) Enables Unauthenticated Server‑Side Requests
What It Is — A server‑side request forgery (SSRF) flaw in the HttpListeningConnector class of Oracle PeopleSoft allows an attacker to force the application to issue arbitrary HTTP requests to internal or external resources. No authentication or user interaction is required.
Exploitability — The vulnerability is rated CVSS 9.3 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). A proof‑of‑concept exists in the advisory; exploitation is trivial on unpatched installations.
Affected Products — Oracle PeopleSoft (all supported versions that include the vulnerable HttpListeningConnector component).
Why It Matters for Compliance & Audit Readiness
- Control Mapping: SSRF reveals a missing input‑validation control, a gap that must be mapped to SOC 2 CC6.1 (System Operations) and CC7.1 (Change Management).
- Continuous Evidence: Demonstrating that the control gap has been remediated and that validation is continuously monitored provides audit‑ready evidence for both internal and external reviewers.
- Enterprise Buyer Expectation: Large customers now demand proof that critical ERP platforms are hardened against server‑side attacks as part of their SOC 2 vendor‑management assessments.
Recommended Actions
- Apply Oracle’s security update for CVE‑2026‑35273 immediately.
- Validate all inbound URIs in the
HttpListeningConnectoror any custom adapters; enforce allow‑list rules for outbound destinations. - Map the remediation to SOC 2 controls (CC6.1, CC7.1) and capture the patch deployment as immutable evidence in your compliance repository.
- Enable continuous monitoring of outbound traffic from PeopleSoft servers to detect anomalous request patterns.
- Update your vendor‑risk questionnaire to include SSRF testing for any third‑party ERP components.
Source: Zero Day Initiative Advisory – ZDI‑26‑387 (CVE‑2026‑35273)