High

Oracle has introduced its first-ever Critical Security Patch Update (CSPU), a new monthly patching initiative aimed at delivering urgent security fixes faster than its traditional quarterly Critical Patch Updates (CPUs). The inaugural May 28, 2026 CSPU includes 35 high-priority security fixes affecting multiple major Oracle product families, including Oracle Database, Oracle REST Data Services (ORDS), Oracle Communications Unified Assurance, Oracle E-Business Suite, and Oracle Hospitality OPERA 5. Unlike the larger CPU releases that bundle hundreds of patches across many product lines, the CSPU model focuses specifically on critical vulnerabilities that require accelerated remediation, allowing organizations to respond more quickly to severe threats.

A significant portion of the update addresses vulnerabilities within Oracle’s database and middleware infrastructure, including components that rely on widely used third-party software such as Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server. Oracle Database Server versions 23.4.0 through 23.26.2 received three critical fixes for the Net Service component, tracked as CVE-2026-46833, CVE-2026-46834, and CVE-2026-46835. These flaws can be exploited remotely over TLS without authentication, posing serious risks even to systems running only Oracle client libraries rather than full database servers. Oracle emphasized that organizations exposing these libraries to untrusted networks or intermediary services should prioritize immediate patch deployment to prevent unauthorized remote exploitation.

Oracle REST Data Services (ORDS) was among the most heavily impacted products, receiving 11 security patches addressing vulnerabilities in ORDS core services, Backend-as-a-Service, MongoAPI, and the Eclipse Jetty stack. Seven of these flaws are remotely exploitable over HTTPS without requiring credentials. The most severe issue, CVE-2026-46840, affects the Backend-as-a-Service component and carries a maximum CVSS v3.1 score of 10.0, indicating the potential for complete compromise of confidentiality, integrity, and system availability through exposed ORDS endpoints. Oracle Communications Unified Assurance versions 6.1.1 through 7.0.0 also received eight patches, including four unauthenticated remote vulnerabilities impacting messaging and web components. Additionally, Oracle E-Business Suite versions 12.2.3 through 12.2.15 received 12 new fixes affecting critical business modules such as Payments, Payroll, iAssets, Flow Manufacturing, and Financials Common Modules, several of which carry CVSS scores as high as high

In the hospitality sector, Oracle Hospitality OPERA 5 Property Services was patched against CVE-2026-34311, a critical remote vulnerability with a CVSS score of high affecting multiple 5.6.x releases. Oracle stated that the CSPU advisories include detailed CVSS ratings, risk matrices, and CSAF feeds to support automated vulnerability management and enterprise security operations. The company strongly warned that attackers frequently exploit already-patched vulnerabilities when organizations delay updates, making rapid deployment essential. While temporary mitigations such as restricting vulnerable network protocols or reducing privileges may reduce immediate exposure, Oracle cautioned that these workarounds can disrupt application functionality and should never replace proper patching of the affected software.