This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2026, which will be released on Tuesday, July 21, 2026. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update addresses 1455 new security patches. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible.
This Critical Patch Update contains 16 new security patches for Oracle Database Products. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Database Server is 9.9.
The Oracle Database Server components and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 3 new security patches for Oracle APEX. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle APEX is 5.5.
The Oracle APEX products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 4 new security patches for Oracle Autonomous Health Framework. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Autonomous Health Framework is 8.1.
The Oracle Autonomous Health Framework products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 1 new security patch for Oracle Essbase. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Essbase is 5.4.
The Oracle Essbase products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Global Lifecycle Management is 8.1.
The Oracle Global Lifecycle Management products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 27 new security patches for Oracle GoldenGate. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle GoldenGate is 9.1.
The Oracle GoldenGate products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle NoSQL Database is 7.3.
The Oracle NoSQL Database products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 1 new security patch for Oracle Spatial Studio. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Spatial Studio is 7.5.
The Oracle Spatial Studio products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 5 new security patches for Oracle SQL Developer. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle SQL Developer is 9.1.
The Oracle SQL Developer products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 14 new security patches for Oracle TimesTen In-Memory Database. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle TimesTen In-Memory Database is 9.9.
The Oracle TimesTen In-Memory Database products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 4 new security patches for Oracle Application Testing Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Application Testing Suite is 9.8.
The Oracle Application Testing Suite components and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 39 new security patches for Oracle Commerce. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Commerce is 9.9.
The Oracle Commerce products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 168 new security patches for Oracle Communications. 122 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Communications is 9.8.
The Oracle Communications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 7 new security patches for Oracle Construction and Engineering. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Construction and Engineering is 9.8.
The Oracle Construction and Engineering products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 416 new security patches for Oracle E-Business Suite. 63 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 9.8.
The Oracle E-Business Suite products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 27 new security patches for Oracle Enterprise Manager. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 9.8.
The Oracle Enterprise Manager products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 23 new security patches for Oracle Financial Services Applications. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Financial Services Applications is 9.8.
The Oracle Financial Services Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Food and Beverage Applications is 9.1.
The Oracle Food and Beverage Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 359 new security patches for Oracle Fusion Middleware. 224 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 10.0.
The Oracle Fusion Middleware products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 6 new security patches for Oracle Analytics. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Analytics is 9.9.
The Oracle Analytics products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 4 new security patches for Oracle HealthCare Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle HealthCare Applications is 7.5.
The Oracle HealthCare Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 2 new security patches for Oracle Hospitality Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Hospitality Applications is 9.8.
The Oracle Hospitality Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 20 new security patches for Oracle Java SE. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.8.
The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 21 new security patches for Oracle JD Edwards. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle JD Edwards is 9.9.
The Oracle JD Edwards products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 53 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.5.
The Oracle MySQL products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 84 new security patches for Oracle PeopleSoft. 45 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle PeopleSoft is 9.9.
The Oracle PeopleSoft products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 22 new security patches for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Retail Applications is 9.8.
The Oracle Retail Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 45 new security patches for Oracle Siebel CRM. 32 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Siebel CRM is 9.9.
The Oracle Siebel CRM products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 39 new security patches for Oracle Supply Chain. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Supply Chain is 9.9.
The Oracle Supply Chain products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 9 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Systems is 9.8.
The Oracle Systems products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 14 new security patches for Oracle Utilities Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Utilities Applications is 9.8.
The Oracle Utilities Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:
This Critical Patch Update contains 16 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Virtualization is 7.8.
The Oracle Virtualization products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are: