Full Report
Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates.Key TakeawaysThe May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates11 issues (31.4% of all patches) were assigned a critical severity ratingOracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patchesBackgroundOn May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%.This month's update includes 11 critical patches across 11 CVEs.SeverityIssues PatchedCVEsCritical1111High1818Medium66Low00Total3535AnalysisThis month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches.A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle E-Business Suite123Oracle REST Data Services117Oracle Communications84Oracle Database Server33Oracle Hospitality Applications11SolutionCustomers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Security Patch Update Advisory - May 2026Oracle May 2026 Critical Security Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Oracle Critical Security Patch Update (CSPU) - May 2026
## CVE Details
- **CVE ID:** 35 Unique CVEs (Detailed in the May 2026 Advisory)
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** Varies by vulnerability (Focused on high-severity flaws handled in the monthly CSPU cycle)
## Affected Systems
- **Products:**
- Oracle E-Business Suite (12 patches)
- Oracle REST Data Services (11 patches)
- Oracle Communications (8 patches)
- Oracle Database Server (3 patches)
- Oracle Hospitality Applications (1 patch)
- **Versions:** Multiple versions across 5 product families; refer to Oracle Risk Matrices for specific versioning.
- **Configurations:** Systems exposed to networks are at higher risk; 18 of the 35 vulnerabilities are exploitable remotely without authentication.
## Vulnerability Description
This update addresses 35 security flaws as part of Oracle's monthly Critical Security Patch Update (CSPU) cycle. These monthly releases specifically target high-severity and critical issues that require a faster remediation cadence than the traditional quarterly updates. The flaws include issues allowing unauthorized access, data manipulation, or service disruption.
## Exploitation
- **Status:** Check Oracle Advisory for specific "Exploited" status; currently, these are addressed as preventative security maintenance.
- **Complexity:** Varies (Predominantly Low to Medium for the 11 Critical flaws).
- **Attack Vector:**
- **Network:** 18 vulnerabilities (Remotely exploitable without credentials).
- **Other:** Adjacent, Local, or Physical depending on the specific CVE.
## Impact
- **Confidentiality:** High (Critical patches often involve unauthorized data access).
- **Integrity:** High (Potential for unauthorized modification of records).
- **Availability:** High (Potential for Denial of Service or system takeover).
## Remediation
### Patches
- Users should apply the **May 2026 CSPU** immediately.
- Specific patch sets for E-Business Suite, REST Data Services, and Database Server are available via My Oracle Support.
### Workarounds
- Limit network exposure for affected services.
- Disable unnecessary features in Oracle REST Data Services and E-Business Suite if patches cannot be applied immediately.
- Implement strict ingress filtering for port 1521 (Database) and web service ports.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins or unauthorized API calls to REST Data Services.
- **Detection methods and tools:**
- Use the Tenable plugin filter: `hxxps[://]www[.]tenable[.]com/plugins/search?q=%22%28May+2026+CSPU%29%22&sort=&page=1`
- Oracle's "Risk Matrices" provide specific component-level indicators.
## References
- Oracle May 2026 Advisory: `hxxps[://]www[.]oracle[.]com/security-alerts/cspumay2026[.]html`
- Oracle Risk Matrices: `hxxps[://]www[.]oracle[.]com/security-alerts/cspumay2026verbose[.]html`
- CVE to Advisory Map: `hxxps[://]www[.]oracle[.]com/security-alerts/public-vuln-to-advisory-mapping[.]html`