HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical SSRF in Oracle PeopleSoft (CVE-2026-35273) Enables Unauthenticated Server‑Side Requests

Oracle PeopleSoft contains a critical server‑side request forgery flaw (CVE‑2026‑35273) that lets unauthenticated attackers force arbitrary HTTP calls. The issue highlights missing input‑validation controls that must be mapped to SOC 2 requirements, making remediation essential for audit readiness.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 zerodayinitiative.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
zerodayinitiative.com

Critical SSRF in Oracle PeopleSoft (CVE‑2026‑35273) Enables Unauthenticated Server‑Side Requests

What It Is — A server‑side request forgery (SSRF) flaw in the HttpListeningConnector class of Oracle PeopleSoft allows an attacker to force the application to issue arbitrary HTTP requests to internal or external resources. No authentication or user interaction is required.

Exploitability — The vulnerability is rated CVSS 9.3 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). A proof‑of‑concept exists in the advisory; exploitation is trivial on unpatched installations.

Affected Products — Oracle PeopleSoft (all supported versions that include the vulnerable HttpListeningConnector component).

Why It Matters for Compliance & Audit Readiness

  • Control Mapping: SSRF reveals a missing input‑validation control, a gap that must be mapped to SOC 2 CC6.1 (System Operations) and CC7.1 (Change Management).
  • Continuous Evidence: Demonstrating that the control gap has been remediated and that validation is continuously monitored provides audit‑ready evidence for both internal and external reviewers.
  • Enterprise Buyer Expectation: Large customers now demand proof that critical ERP platforms are hardened against server‑side attacks as part of their SOC 2 vendor‑management assessments.

Recommended Actions

  • Apply Oracle’s security update for CVE‑2026‑35273 immediately.
  • Validate all inbound URIs in the HttpListeningConnector or any custom adapters; enforce allow‑list rules for outbound destinations.
  • Map the remediation to SOC 2 controls (CC6.1, CC7.1) and capture the patch deployment as immutable evidence in your compliance repository.
  • Enable continuous monitoring of outbound traffic from PeopleSoft servers to detect anomalous request patterns.
  • Update your vendor‑risk questionnaire to include SSRF testing for any third‑party ERP components.

Source: Zero Day Initiative Advisory – ZDI‑26‑387 (CVE‑2026‑35273)

📰 Original Source
http://www.zerodayinitiative.com/advisories/ZDI-26-387/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →