Back

Oracle CSPU May 2026: 35 Critical Vulnerabilities Addressed

Severity: High (Score: 72.0)

Sources: www.oracle.com, Tenable, Ccb.Belgium.Be, nvd.nist.gov, Heise.De

Published: 2026-05-29 · Updated: 2026-05-30

Keywords: critical, security, patch, update, cspu, oracle, addresses

Severity indicators: critical, critical security

Summary

Oracle released its first Critical Security Patch Update (CSPU) on May 28, 2026, addressing 35 vulnerabilities across multiple product families, including Oracle Database, Oracle REST Data Services, and Oracle E-Business Suite. Among these, CVE-2026-46840 and CVE-2026-34311 are rated critical, with CVSS scores of 10.0 and 9.8, respectively. Attackers can exploit several vulnerabilities remotely without authentication, posing significant risks to organizations using affected Oracle products. The CSPU is part of Oracle's new monthly update strategy, aimed at providing timely security fixes. Security professionals are urged to apply the patches immediately to mitigate risks associated with these vulnerabilities. The update follows a history of exploitation of Oracle vulnerabilities, emphasizing the need for prompt action. Key Points: • Oracle's CSPU addresses 35 vulnerabilities, including 11 critical ones. • CVE-2026-46840 has a CVSS score of 10.0, indicating severe risk. • Immediate patching is recommended to prevent potential exploitation.

Detailed Analysis

**Impact** The update affects multiple Oracle product families including Oracle Database Server, Oracle REST Data Services, Oracle Communications, Oracle E-Business Suite, and Oracle Hospitality OPERA 5. The CSPU addresses 35 critical vulnerabilities, with several rated at CVSS 9.0 or higher, indicating severe risk. Sectors using Oracle E-Business Suite and REST Data Services are particularly at risk, with past incidents involving data theft and ransomware extortion reported. The geographic scope is global, impacting any organization running vulnerable Oracle software versions. **Technical Details** Exploitable vulnerabilities include unauthenticated remote network attacks via HTTP/HTTPS, allowing full system takeover (e.g., CVE-2026-46840 in REST Data Services, CVE-2026-46817 in Oracle Payments). Eleven CVEs are rated critical, with CVSS scores up to 10.0. Attack vectors involve network access without user interaction, affecting backend services and client installations. No specific malware or IOCs are mentioned. The vulnerabilities impact multiple kill chain stages, primarily initial access and execution. **Recommended Response** Apply all relevant CSPU patches immediately, prioritizing Oracle REST Data Services, E-Business Suite, and Backend-as-a-Service components. Enhance network monitoring and detection capabilities for suspicious activity related to these vulnerabilities. Block network protocols exploited by the vulnerabilities where feasible until patches are applied. Review and remove unnecessary privileges associated with vulnerable packages to reduce attack surface.

Source articles (9)

  • Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs — Tenable · 2026-05-28
    Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates. On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 202…
  • May 2026 Critical Security Patch Update Released — Blogs.Oracle · 2026-05-28
    This Critical Security Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle REST Data Services, Oracle Communications, Oracle E-Business Suite, O…
  • Oracle May 2026 Critical Security Patch Update Risk Matrices — www.oracle.com · 2026-05-29
    This document provides the text form of the May 2026 Advisory Risk Matrices. Please note that the CVE IDs in this document correspond to the same CVE IDs in the May 2026 Advisory . This page contains…
  • Oracle CSPU: 35 Security Updates in May — Heise.De · 2026-05-29
    Oracle is known for its quarterly patch days, called “Critical Patch Update” (CPU); the last one took place in April and addressed 481 vulnerabilities . In May, the company has now pushed out a “criti…
  • Oracle Critical Security Update — Cybersecuritynews · 2026-05-29
    Oracle has rolled out its first Critical Security Patch Update (CSPU), delivering 35 new security fixes for serious vulnerabilities across several major product lines, including Oracle Database, Oracl…
  • Warning: Multiple Vulnerabilities in Oracle Products, Patch Immediately! — Ccb.Belgium.Be · 2026-05-29
    Oracle released the May Critical Patch Update, a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components include…
  • Critical Security Patch Update for May 2026 Now Available | ebstech — Blogs.Oracle · 2026-05-29
    The Critical Security Patch Update (CSPU) for May 2026 was released on 28 May 2026. Oracle strongly recommends applying the CSPU patches as soon as possible. A link to the latest available Oracle E-Bu…
  • CVE 2026 46840 — nvd.nist.gov · 2026-05-29
    This CVE record is currently being enriched by team members, this process results in the association of reference link tags, CVSS, CWE, and CPE applicability statement data Vulnerability in Oracle RES…
  • Cspumay2026 — www.oracle.com · 2026-05-30
    A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch…

Timeline

  • 2026-04-14 — CVE-2026-2332 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-20 — CVE-2026-33557 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-28 — Oracle CSPU released: Oracle released its first Critical Security Patch Update addressing 35 vulnerabilities across multiple products.
  • 2026-05-28 — CVE-2026-46840 published: CVE-2026-46840 affects Oracle REST Data Services and is easily exploitable without authentication.
  • 2026-05-28 — CVE-2026-34311 published: CVE-2026-34311 is a critical vulnerability in Oracle Hospitality OPERA 5 with a CVSS score of 9.8.
  • 2026-05-28 — CVE-2026-46775 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-28 — CVE-2026-46824 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-28 — CVE-2026-46833 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-28 — CVE-2026-46822 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-28 — CVE-2026-46839 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-2332
  • CVE-2026-33557
  • CVE-2026-34311
  • CVE-2026-46775
  • CVE-2026-46817
  • CVE-2026-46819
  • CVE-2026-46822
  • CVE-2026-46824
  • CVE-2026-46833
  • CVE-2026-46839
  • CVE-2026-46840

Related entities

  • Data Breach (Attack Type)
  • Oracle (Company)
  • Belgium (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • german.it (Domain)
  • vulnerabilities.in (Domain)
  • Backend-as-a-Service (Platform)
  • Fusion Middleware (Platform)
  • Oracle Communications (Platform)
  • Oracle Database (Platform)
  • Oracle Databases (Platform)
  • Oracle E-business Suite (Platform)
  • Oracle Enterprise Manager (Platform)
  • Oracle Hospitality Applications (Platform)
  • Oracle Hospitality Opera 5 Property Services (Platform)
  • Oracle Payments (Platform)
  • Oracle REST Data Services (Platform)
  • Cl0p (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed