Oracle Security Critical Patch Update Advisory

Oracle Critical Security Patch Update Pre-Release Announcement - May 2026

Description

This Critical Security Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Security Patch Update for May 2026, which will be released on Thursday, May 28, 2026. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Security Patch Update Advisory.

A Critical Security Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Security Patch Update addresses 35 new security patches. Some of the vulnerabilities addressed in this Critical Security Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Security Patch Update patches as soon as possible.

Executive Summaries

Oracle Database Server Executive Summary

This Critical Security Patch Update contains 3 new security patches for Oracle Database Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. All of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Database Server is 9.0.

The Oracle Database Server components and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

Oracle Database Server, versions 23.4.0-23.26.2

Oracle REST Data Services Executive Summary

This Critical Security Patch Update contains 11 new security patches for Oracle REST Data Services. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these vulnerabilities has a bolded, non-Oracle CVE, i.e., a vulnerability in one or more third party components included in Oracle product distributions or is a vulnerability in an industry standard protocols.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle REST Data Services is 10.0.

The Oracle REST Data Services products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

Oracle REST Data Services, versions 24.2.0-26.1.0

Oracle Communications Executive Summary

This Critical Security Patch Update contains 8 new security patches for Oracle Communications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. All of these vulnerabilities have bolded, non-Oracle CVEs, i.e., vulnerabilities in one or more third party components included in Oracle product distributions or are vulnerabilities in industry standard protocols.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Communications is 9.1.

The Oracle Communications products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

Oracle Communications Unified Assurance, versions 6.1.1-7.0.0

Oracle E-Business Suite Executive Summary

This Critical Security Patch Update contains 12 new security patches for Oracle E-Business Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 9.9.

The Oracle E-Business Suite products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

Oracle E-Business Suite, versions 12.2.3-12.2.15

Oracle Hospitality Applications Executive Summary

This Critical Security Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Hospitality Applications is 9.8.

The Oracle Hospitality Applications products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

Oracle Hospitality OPERA 5 Property Services, versions 5.6.19.24, 5.6.22.5, 5.6.25.19, 5.6.27.6, 5.6.28.2