Oracle Critical Patch Update Pre-Release Announcement - January 2026

 

Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2026, which will be released on Tuesday, January 20, 2026.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update addresses 336 new security patches. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible.

Executive Summaries

Oracle Database Server Executive Summary

This Critical Patch Update contains 7 new security patches for Oracle Database Products.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Database Server is 7.4.

The Oracle Database Server components and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Database Server, versions 19.3-19.29, 21.3-21.20, 23.4.0-23.26.0

Oracle APEX Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle APEX.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle APEX is 5.4.

The Oracle APEX products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle APEX Sample Applications, versions 23.2.0, 23.2.1, 24.1.0, 24.2.0, 24.2.1

Oracle Essbase Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle Essbase.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Essbase is 7.5.

The Oracle Essbase products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Essbase, version 21.8.0.0.0

Oracle GoldenGate Executive Summary

This Critical Patch Update contains 5 new security patches for Oracle GoldenGate.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle GoldenGate is 8.1.

The Oracle GoldenGate products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.20, 21.3-21.20, 23.4-23.10
  • Oracle GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.11

Oracle Graph Server and Client Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle Graph Server and Client.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Graph Server and Client is 5.3.

The Oracle Graph Server and Client products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Graph Server and Client, versions 24.4.4, 25.4.0

Oracle Zero Data Loss Recovery Appliance Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle Zero Data Loss Recovery Appliance.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Zero Data Loss Recovery Appliance is 3.1.

The Oracle Zero Data Loss Recovery Appliance products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Zero Data Loss Recovery Appliance Software, versions 23.1.0-23.1.202509

Oracle Commerce Executive Summary

This Critical Patch Update contains 7 new security patches for Oracle Commerce.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Commerce is 10.0.

The Oracle Commerce products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Commerce Guided Search, version 11.4.0
  • Oracle Commerce Platform, version 11.4.0

Oracle Communications Executive Summary

This Critical Patch Update contains 56 new security patches for Oracle Communications.  34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Communications is 10.0.

The Oracle Communications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Cloud Native Session Border Controller, version 25.1.0
  • Oracle Communications ASAP, versions 7.4.0, 7.4.1
  • Oracle Communications Billing and Revenue Management, versions 15.0.0.0.0, 15.0.1.0.0, 15.1.0.0.0
  • Oracle Communications BRM - Elastic Charging Engine, versions 15.0.0.0, 15.0.1.0, 15.1.0.0
  • Oracle Communications Diameter Signaling Router, versions 9.0.0, 9.0.1, 9.1.0
  • Oracle Communications Element Manager, versions 9.0.0-9.0.4
  • Oracle Communications IP Service Activator, version 7.5.0
  • Oracle Communications Network Analytics Data Director, versions 24.2.0-24.2.1, 24.3.0, 25.1.100, 25.1.200, 25.2.100
  • Oracle Communications Network Integrity, versions 7.3.6, 7.4.0, 7.5.0, 8.0.0
  • Oracle Communications Operations Monitor, versions 5.2, 6.0, 6.1
  • Oracle Communications Order and Service Management, versions 7.5.0, 8.0.0
  • Oracle Communications Policy Management, version 15.0.0.0
  • Oracle Communications Pricing Design Center, versions 15.0.0.0.0, 15.0.1.0.0, 15.1.0.0.0
  • Oracle Communications Session Border Controller, versions 9.3.0, 10.0.0
  • Oracle Communications Session Report Manager, versions 9.0.0-9.0.4
  • Oracle Communications Unified Assurance, versions 6.1.0-6.1.1
  • Oracle Communications Unified Inventory Management, versions 7.7.0, 7.8.0, 8.0.0
  • Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0, 5.0.0

Oracle Construction and Engineering Executive Summary

This Critical Patch Update contains 8 new security patches for Oracle Construction and Engineering.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Construction and Engineering is 9.8.

The Oracle Construction and Engineering products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Primavera Gateway, versions 21.12.0-21.12.16
  • Primavera P6 Enterprise Project Portfolio Management, versions 21.12.0.0-21.12.21.5, 22.12.0.0-22.12.20.0, 23.12.0.0-23.12.17.0, 24.12.0.0-24.12.11.0
  • Primavera Unifier, versions 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.16, 24.12.0-24.12.12, 25.12.0

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 8 new security patches for Oracle E-Business Suite.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 8.8.

The Oracle E-Business Suite products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle E-Business Suite, versions 12.2.3-12.2.15

Oracle Enterprise Manager Executive Summary

This Critical Patch Update contains 4 new security patches for Oracle Enterprise Manager.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 7.2.

The Oracle Enterprise Manager products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Application Testing Suite, version 13.3.0.1
  • Oracle Enterprise Manager Base Platform, versions 13.5, 24.1

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 38 new security patches for Oracle Financial Services Applications.  33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Financial Services Applications is 9.1.

The Oracle Financial Services Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Banking Branch, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0, 14.8.0.0.0
  • Oracle Banking Cash Management, versions 14.5.0.15.0, 14.6.0.11.0, 14.7.0.9.0, 14.8.0.1.0, 14.8.1.0.0
  • Oracle Banking Corporate Lending Process Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Liquidity Management, versions 14.5.0.14.0, 14.5.0.15.0, 14.6.0.11.0, 14.7.0.9.0, 14.8.0.1.0, 14.8.1.0.0
  • Oracle Banking Supply Chain Finance, versions 14.5.0.15.0, 14.6.0.11.0, 14.7.0.9.0, 14.8.0.1.0, 14.8.1.0.0
  • Oracle Financial Services Compliance Studio, version 2.6.0
  • Oracle Financial Services Model Management and Governance, version 8.1.3.2
  • Oracle FLEXCUBE Investor Servicing, versions 14.5.0.15.0, 14.7.0.8.0, 14.8.0.1.0
  • Oracle FLEXCUBE Universal Banking, versions 14.0.0.0.0-14.8.0.0.0
  • Oracle Insurance Policy Administration J2EE, versions 11.3.1-12.0.6

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware.  47 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 10.0.

The Oracle Fusion Middleware products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Access Manager, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Business Process Management Suite, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
  • Oracle Data Integrator, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Fusion Middleware, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Global Lifecycle Management NextGen OUI Framework, version 15.1.1.0.0
  • Oracle HTTP Server, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
  • Oracle Identity Manager, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Identity Manager Connector, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Managed File Transfer, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Middleware Common Libraries and Tools, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Outside In Technology, versions 8.5.7, 8.5.8
  • Oracle Platform Security for Java, version 12.2.1.4.0
  • Oracle Security Service, version 12.2.1.4.0
  • Oracle Service Bus, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle SOA Suite, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Unified Directory, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle WebCenter Enterprise Capture, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Sites, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0
  • Oracle Weblogic Server Proxy Plug-in, versions 12.2.1.4.0, 14.1.1.0.0
  • Service Delivery Platform, version 14.1.2.0.0

Oracle Analytics Executive Summary

This Critical Patch Update contains 8 new security patches for Oracle Analytics.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Analytics is 9.1.

The Oracle Analytics products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Business Intelligence Enterprise Edition, versions 7.6.0.0.0, 8.2.0.0.0, 12.2.1.4.0

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 5 new security patches for Oracle Health Sciences Applications.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Health Sciences Applications is 6.5.

The Oracle Health Sciences Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Life Sciences Central Coding, version 7.0.1.0
  • Oracle Life Sciences Central Designer, version 7.0.1.0

Oracle HealthCare Applications Executive Summary

This Critical Patch Update contains 6 new security patches for Oracle HealthCare Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle HealthCare Applications is 9.8.

The Oracle HealthCare Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Health Sciences Information Manager, version 4.0.0
  • Oracle Healthcare Data Repository, versions 8.2.0.5, 8.2.0.6
  • Oracle Healthcare Master Person Index, versions 5.0.0.0-5.0.9.5

Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 4 new security patches for Oracle Hospitality Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Hospitality Applications is 8.6.

The Oracle Hospitality Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Hospitality OPERA 5, versions 5.6.19.23, 5.6.25.17, 5.6.26.10, 5.6.27.4, 5.6.28.0
  • Oracle Hospitality OPERA 5 Property Services, versions 5.6.19.22, 5.6.19.23, 5.6.25.15, 5.6.25.17, 5.6.26.9, 5.6.26.10, 5.6.27.4, 5.6.28.0

Oracle Hyperion Executive Summary

This Critical Patch Update contains 12 new security patches for Oracle Hyperion.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Hyperion is 9.1.

The Oracle Hyperion products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Hyperion Calculation Manager, version 11.2.23
  • Oracle Hyperion Financial Close Management, version 11.2.23
  • Oracle Hyperion Financial Management, version 11.2.23
  • Oracle Hyperion Financial Reporting, version 11.2.23
  • Oracle Hyperion Infrastructure Technology, version 11.2.23
  • Oracle Hyperion Planning, version 11.2.23
  • Oracle Hyperion Profitability and Cost Management, version 11.2.23
  • Oracle Planning and Budgeting Cloud Service, version 25.4.7

Oracle Java SE Executive Summary

This Critical Patch Update contains 11 new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5.

The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle GraalVM Enterprise Edition, version 21.3.16
  • Oracle GraalVM for JDK, versions 17.0.17, 21.0.9
  • Oracle Java SE, versions 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1
  • Oracle JDK Mission Control, version 9.1.1

Oracle JD Edwards Executive Summary

This Critical Patch Update contains 7 new security patches for Oracle JD Edwards.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle JD Edwards is 8.1.

The Oracle JD Edwards products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • JD Edwards EnterpriseOne Tools, versions 9.2.0.0-9.2.26.0

Oracle MySQL Executive Summary

This Critical Patch Update contains 20 new security patches for Oracle MySQL.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

The Oracle MySQL products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • MySQL Cluster, versions 7.6.0-7.6.36, 8.0.0-8.0.44, 8.4.0-8.4.7, 9.0.0-9.5.0
  • MySQL Connectors, versions 9.0.0-9.5.0
  • MySQL Enterprise Backup, versions 8.0.0-8.0.44, 8.4.0-8.4.7, 9.0.0-9.5.0
  • MySQL Server, versions 8.0.0-8.0.44, 8.4.0-8.4.7, 9.0.0-9.5.0
  • MySQL Workbench, versions 8.0.0-8.0.45

Oracle PeopleSoft Executive Summary

This Critical Patch Update contains 12 new security patches for Oracle PeopleSoft.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle PeopleSoft is 10.0.

The Oracle PeopleSoft products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.60, 8.61, 8.62
  • PeopleSoft Enterprise SCM Purchasing, version 9.2

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 14 new security patches for Oracle Retail Applications.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Retail Applications is 8.8.

The Oracle Retail Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Retail Advanced Inventory Planning, versions 15.0.3, 16.0.3
  • Oracle Retail Allocation, versions 15.0.3, 16.0.3
  • Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1
  • Oracle Retail Financial Integration, versions 16.0.3, 19.0.1
  • Oracle Retail Fiscal Management, version 14.2
  • Oracle Retail Integration Bus, versions 16.0.3, 19.0.1
  • Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
  • Oracle Retail Service Backbone, versions 16.0.3, 19.0.1
  • Oracle Retail Xstore Office, version 25.0.1
  • Oracle Retail Xstore Point of Service, versions 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1, 25.0.0

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 14 new security patches for Oracle Siebel CRM.  11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Siebel CRM is 9.8.

The Oracle Siebel CRM products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Siebel Applications, versions 17.0-25.11

Oracle Supply Chain Executive Summary

This Critical Patch Update contains 10 new security patches for Oracle Supply Chain.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Supply Chain is 9.8.

The Oracle Supply Chain products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Agile PLM, version 9.3.6
  • Oracle Agile Product Lifecycle Management for Process, version 6.2.4
  • Oracle Autovue for Agile Product Lifecycle Management, version 21.1.0
  • Oracle AutoVue Office, version 21.1.0

Oracle Systems Executive Summary

This Critical Patch Update contains 5 new security patches for Oracle Systems.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Systems is 5.8.

The Oracle Systems products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Solaris, versions 10, 11
  • Oracle ZFS Storage Appliance Kit, version 8.8

Oracle Utilities Applications Executive Summary

This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Utilities Applications is 7.5.

The Oracle Utilities Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Utilities Application Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.4.0.4.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4, 25.10
  • Oracle Utilities Network Management System, versions 2.5.0.2.10, 2.6.0.1.9, 2.6.0.2.5
  • Oracle Utilities Testing Accelerator, versions 7.0.0.0.6, 7.0.0.1.4, 25.4.0.0.1

Oracle Virtualization Executive Summary

This Critical Patch Update contains 14 new security patches for Oracle Virtualization.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Virtualization is 8.2.

The Oracle Virtualization products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle VM VirtualBox, versions 7.1.14, 7.2.4