Oracle has rolled out its first Critical Security Patch Update (CSPU), delivering 35 new security fixes for serious vulnerabilities across several major product lines, including Oracle Database, Oracle REST Data Services, Oracle Communications Unified Assurance, Oracle E‑Business Suite, and Oracle Hospitality OPERA 5.
This new CSPU model is designed as a smaller, focused set of high‑priority fixes that complements Oracle’s existing quarterly Critical Patch Updates (CPUs), giving customers a faster way to remediate critical issues between the larger cumulative releases.
The May 28, 2026 CSPU marks the debut of Oracle’s monthly security patching cycle, with future CSPUs planned for most third Tuesdays of the month.
Unlike CPUs, which can contain hundreds of fixes across dozens of product families, this CSPU concentrates on 35 new vulnerabilities that Oracle has assessed as requiring accelerated attention.
Oracle Critical Security Update
These patches cover both Oracle’s own code and widely used third‑party components embedded in Oracle products, such as Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server.
In the database stack, Oracle Database Server versions 23.4.0 through 23.26.2 receive three new security patches for the Net Service component.
All three issues, tracked as CVE‑2026‑46833, CVE‑2026‑46834, and CVE‑2026‑46835, can be exploited remotely over TLS without authentication, and the fixes apply even to client‑only installations that do not have a full database server deployed.
This makes patching essential for any environment where Oracle client libraries are exposed to untrusted networks or intermediary services.
Oracle REST Data Services (ORDS) versions 24.2.0 to 26.1.0 are particularly affected, with 11 new security patches and additional updates for bundled third‑party components.
Seven of these flaws are remotely exploitable over HTTPS without user credentials, affecting ORDS core, Backend‑as‑a‑Service, MongoAPI, and the Eclipse Jetty stack.
CVE‑2026‑46840 in the Backend‑as‑a‑Service component carries a CVSS v3.1 base score of 10.0, signaling complete compromise of confidentiality, integrity, and availability if exploited on an exposed ORDS endpoint.
Oracle Communications Unified Assurance versions 6.1.1 through 7.0.0 receive eight new patches, including four vulnerabilities that are remotely exploitable without authentication in messaging and core web components.
The CSPU also delivers 12 new fixes for Oracle E‑Business Suite 12.2.3–12.2.15, impacting modules such as Payments, Payroll, iAssets, Flow Manufacturing, and Financials Common Modules, with several CVSS scores of 9.8 and 9.9 over HTTP or HTTPS.
In the hospitality domain, Oracle Hospitality OPERA 5 Property Services is affected by CVE‑2026‑34311, a critical remote issue scoring 9.8 and impacting multiple 5.6.x releases.
Oracle Security Alert issues provide CVSS-rated vulnerabilities, detailed advisories, risk matrices, and CSAF feeds for automated security management.
The advisory stresses that attackers continue to exploit already‑patched flaws where customers have delayed updates successfully, and strongly urges immediate deployment of CSPU patches on all supported versions.
While temporary risk reduction may be possible by blocking affected network protocols or stripping unnecessary privileges.
Oracle warns that such measures can break application functionality and must not be treated as long‑term substitutes for patching the underlying code.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
