Oracle Releases First Critical Security Patch Update With Fixes for 35 Vulnerabilities

Oracle has released its first Critical Security Patch Update, a new monthly patch format designed to deliver high-priority security fixes between the company’s larger quarterly Critical Patch Updates. The Oracle May 2026 Critical Security Patch Update Advisory includes 35 new security patches across Oracle Database Server, Oracle REST Data Services, Oracle Communications, Oracle E-Business Suite, and Oracle Hospitality Applications.

The update was published on May 28, 2026. Oracle said in its security blog release that the patches apply to a wide range of product families, including database, REST, communications, E-Business Suite, and hospitality products.

The new CSPU model gives Oracle customers a smaller and more focused set of fixes than the regular quarterly CPU. A Tenable analysis says the May release addresses 35 unique CVEs, including 11 critical-severity issues.

What Oracle Changed With the New CSPU Model

Critical Security Patch Updates are meant to complement Oracle’s quarterly Critical Patch Updates, not replace them. The monthly releases focus on high-priority vulnerabilities that Oracle wants customers to patch sooner.

Oracle’s security alerts page says the first CSPU arrived on May 28, 2026. The company will publish future CSPUs on the third Tuesday of February, March, May, June, August, September, November, and December, while regular CPUs remain scheduled for January, April, July, and October.

This means Oracle customers now have a faster security patching cadence. Instead of waiting up to three months for the next quarterly CPU, some high-risk fixes can now arrive in a focused monthly release.

Patch Program	Purpose	Typical Schedule
Critical Patch Update	Large cumulative security update across many Oracle products	January, April, July, and October
Critical Security Patch Update	Smaller focused update for high-priority fixes	February, March, May, June, August, September, November, and December
Security Alert	Emergency fix for issues too urgent to wait	As needed

Oracle Database and ORDS Get Urgent Fixes

Oracle Database Server versions 23.4.0 through 23.26.2 receive three new Net Service fixes. All three issues can be exploited remotely over TLS without authentication, and Oracle says the patches also apply to client-only installations.

The most severe database issue in this group is CVE-2026-46833, which carries a CVSS 3.1 score of 9.0. Oracle says the patches must be applied to all 23.x Oracle Homes, including Database, Grid, and Client installations.

Oracle REST Data Services is one of the most exposed product groups in this release. ORDS versions 24.2.0 through 26.1.0 receive 11 new patches, and seven of those vulnerabilities can be exploited remotely over HTTPS without authentication.

CVE-2026-46840 Carries the Highest Score

The most severe issue listed in ORDS is CVE-2026-46840. Oracle gives it a CVSS 3.1 score of 10.0, and the public CVE-2026-46840 record describes an unauthenticated HTTPS attack path that can compromise Oracle REST Data Services.

The vulnerability affects the Backend-as-a-Service component in ORDS. Oracle’s scoring shows high impact to confidentiality, integrity, and availability, with scope change, meaning an attack may significantly affect other products or components.

ORDS also received fixes for several Core and MongoAPI issues, including CVE-2026-2332, CVE-2026-46775, CVE-2026-46839, CVE-2026-46829, CVE-2026-46830, CVE-2026-46841, CVE-2026-46842, and CVE-2026-46843.

E-Business Suite Has the Most Fixes

Oracle E-Business Suite received 12 new patches, the highest count in the May CSPU. The affected versions are 12.2.3 through 12.2.15.

Several E-Business Suite flaws carry critical scores. These include CVE-2026-46822 in Oracle iAssets, CVE-2026-46824 in Oracle Universal Work Queue, CVE-2026-46817 in Oracle Payments, and CVE-2026-46819 in Oracle Internet Procurement Connector.

The Tenable breakdown says E-Business Suite accounts for 12 of the 35 patches, or 34.3% of the May CSPU total. ORDS follows with 11 patches.

Product Family	New Patches	Remote Exploit Without Authentication
Oracle E-Business Suite	12	3
Oracle REST Data Services	11	7
Oracle Communications	8	4
Oracle Database Server	3	3
Oracle Hospitality Applications	1	1

Communications and Hospitality Products Are Also Affected

Oracle Communications Unified Assurance versions 6.1.1 through 7.0.0 receive eight new patches. Four of those issues can be exploited remotely without authentication.

The most severe Communications flaw listed in the advisory is CVE-2026-33557, which affects the Message Bus component through Apache Kafka and carries a CVSS score of 9.1. Other fixes cover third-party components such as MySQL Server, Apache ActiveMQ, PCRE2, Apache Tomcat, Apache ZooKeeper, libpng, and Apache HTTP Server.

Oracle Hospitality OPERA 5 Property Services also receives a critical patch for CVE-2026-34311. The issue affects several 5.6.x releases and can be exploited remotely without authentication.

Why Admins Should Not Delay These Patches

Oracle warns that it continues to receive reports of attackers exploiting older vulnerabilities after patches were already available. The company says some attacks succeed because customers fail to apply available Oracle security updates.

The Oracle advisory says blocking affected network protocols or removing unnecessary privileges may reduce risk before patching. Oracle also warns that those steps can break application functionality and should not replace the underlying patch.

That warning matters for internet-facing ORDS endpoints, exposed E-Business Suite modules, and any environment with Oracle Database 23.x client or Grid installations. Customers should test and deploy the CSPU on supported versions as quickly as their change process allows.

Priority List for Security Teams

• Patch Oracle REST Data Services endpoints exposed to the internet or partner networks.
• Apply Oracle Database 23.x Net Service fixes to Database, Grid, and Client Oracle Homes.
• Review Oracle E-Business Suite 12.2.3 through 12.2.15 environments for affected modules.
• Patch Oracle Communications Unified Assurance 6.1.1 through 7.0.0.
• Patch Oracle Hospitality OPERA 5 Property Services in affected 5.6.x deployments.
• Use the risk matrices to prioritize unauthenticated remote flaws first.
• Check whether any affected Oracle components use bundled third-party libraries.

Next Oracle Patch Dates

The CSPU program changes how many Oracle customers should plan their patch windows. Security teams now need to track both monthly CSPUs and quarterly CPUs.

The Oracle security alerts page lists June 16, 2026, as the next CSPU date, followed by the July 21, 2026 Critical Patch Update. Oracle’s May release post also points customers to the full advisory and My Oracle Support executive summary for deployment details.

The public CVE record for CVE-2026-46840 highlights why this cadence matters. High-scoring, unauthenticated, network-exploitable vulnerabilities in enterprise products can create immediate exposure when systems remain unpatched.

The Bottom Line

Oracle’s first CSPU gives customers a smaller but urgent patch set covering 35 vulnerabilities across five product families. The highest priority items include ORDS, E-Business Suite, Oracle Database 23.x Net Service, Communications Unified Assurance, and Hospitality OPERA 5.

Security teams should treat this release as an operational change, not just another advisory. Oracle’s official patch schedule now includes monthly security updates in addition to quarterly CPUs, which means Oracle environments need a faster and more regular patch review process.

FAQ