Detections
Analytics

Oracle PeopleSoft Unauthenticated Java Deserialization SSRF / RCE (CVE-2026-35273)

critical Nessus Plugin ID 321385

Synopsis

The remote Oracle PeopleSoft PeopleTools server is affected by an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the Integration Broker that enables an attacker to relay requests to the local Environment Management Hub and ultimately achieve remote code execution.

Description

The remote Oracle PeopleSoft PeopleTools server exposes both the Integration Broker gateway ('/PSIGW/HttpListeningConnector') and the Environment Management Hub ('/PSEMHUB/hub') on the same web tier. The Integration Broker fails to validate that XML documents submitted by unauthenticated clients do not reference internal or external network resources.

An attacker posts a crafted XML envelope (DOCTYPE external-entity, EnvironmentManagement message, or IBRequest SOAP message) whose 'sourceURL', 'url', or 'HubURL' element points to an attacker-controlled URL. The Integration Broker acts as an unauthenticated SSRF proxy:
 - Outbound: the IB resolves and fetches attacker-controlled external URLs, leaking DNS queries and potentially cloud instance metadata.
 - Inbound loopback: when the SSRF target is http://127.0.0.1:<port>/ PSEMHUB/hub, the IB relays the request to the local Hub. The Hub accepts loopback connections without authentication. Published exploit chains pass a deserialized Java object in the 'OPERATION' POST parameter to invoke Hub operations (FILECHUNKING, REGISTER_WITHOUT_PEERNAME, HANDLE_MESSAGE) and achieve remote code execution as the PeopleSoft application server user.

Nessus confirmed the SSRF non-destructively by:
 1. Verifying /PSEMHUB/hub is present (not mitigated by context root removal).
 2. Sending three XML payload shapes to /PSIGW/HttpListeningConnector with the SSRF target set to a per-scan DNS callback URL.
 3. Detecting an outbound DNS resolution of the callback hostname, which proves the Integration Broker followed the attacker-supplied URL.

A patched or mitigated system either returns HTTP 404 for /PSEMHUB/hub (context root removed) or rejects the XML before dereferencing the URL, and no DNS callback is observed.

Solution

See the Oracle Patch Availability Docs: CPU187 and CPU167.

See Also

http://www.nessus.org/u?591b7005

http://www.nessus.org/u?47a22845

Plugin Details

Severity: Critical

ID: 321385

File Name: oracle_peoplesoft_ssrf_cve_2026_35273.nbin

Version: 1.1

Type: Remote

Family: Misc.

Published: 6/17/2026

Updated: 6/17/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-35273

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:oracle:peoplesoft_enterprise_peopletools

Exploited by Nessus: true

Patch Publication Date: 6/11/2026

Vulnerability Publication Date: 6/11/2026

Reference Information

CVE: CVE-2026-35273