Oracle has initiated its latest Critical Security Patch Update (CSPU), introducing 35 new security patches designed to address serious vulnerabilities across a range of major product lines. These include Oracle Database, Oracle REST Data Services, Oracle Communications Unified Assurance, Oracle E-Business Suite, and Oracle Hospitality OPERA 5.
Introduction of the Monthly CSPU Model
The newly launched CSPU model represents a streamlined, targeted approach to addressing urgent security concerns, designed to supplement Oracle’s established quarterly Critical Patch Updates (CPUs). This allows customers to quickly address critical vulnerabilities outside of the more comprehensive quarterly patch cycle.
Launched on May 28, 2026, the CSPU marks the start of Oracle’s monthly security update cycle, with future updates planned for most third Tuesdays of each month. Unlike the broader CPUs, which often include hundreds of patches, this CSPU specifically targets 35 vulnerabilities that Oracle has identified as requiring immediate attention.
Details of the New Security Patches
The recent patches cover not only Oracle’s proprietary code but also widely used third-party components integrated into Oracle products, like Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and the Apache HTTP Server.
Within the database stack, three new security patches have been released for Oracle Database Server versions 23.4.0 through 23.26.2, specifically targeting the Net Service component. These vulnerabilities, identified as CVE-2026-46833, CVE-2026-46834, and CVE-2026-46835, can be exploited remotely over TLS without requiring authentication, highlighting the critical need for patching, especially in environments where Oracle client libraries are exposed to untrusted networks.
Impact on Various Oracle Products
Oracle REST Data Services (ORDS) versions 24.2.0 to 26.1.0 have been notably affected, with 11 new security patches and updates to bundled third-party components. Seven of these vulnerabilities can be exploited remotely over HTTPS without user credentials, impacting ORDS core, Backend-as-a-Service, MongoAPI, and the Eclipse Jetty stack. One of the vulnerabilities, CVE-2026-46840, presents a severe risk with a CVSS v3.1 base score of 10.0, indicating a complete compromise of confidentiality, integrity, and availability if exploited.
Oracle Communications Unified Assurance versions 6.1.1 through 7.0.0 have received eight new patches, including four that can be remotely exploited without authentication in messaging and core web components. Furthermore, the CSPU provides 12 new fixes for Oracle E-Business Suite 12.2.3–12.2.15, impacting modules such as Payments, Payroll, iAssets, Flow Manufacturing, and Financials Common Modules.
In the hospitality sector, Oracle Hospitality OPERA 5 Property Services faces a critical issue with CVE-2026-34311, a remote vulnerability scoring 9.8 that affects multiple 5.6.x releases.
Importance of Immediate Patch Deployment
The advisory emphasizes the importance of promptly applying these patches, as attackers may exploit already-patched vulnerabilities where updates have been delayed. Oracle strongly advises the immediate deployment of CSPU patches across all supported versions to mitigate risks.
While temporary measures such as blocking affected network protocols or removing unnecessary privileges might reduce risk, Oracle warns these should not replace long-term solutions, as they may disrupt application functionality. Ensuring robust security requires consistent and timely patching of the underlying code.
