Oracle Security Release Intelligence

Oracle Critical Security Patches — CSPU & CPU

Track every Oracle Critical Security Patch Update (CSPU) and quarterly Critical Patch Update (CPU). Monthly CSPU cadence begins May 28, 2026 — purpose-built release intelligence keeps Oracle Fusion environments secure without doubling your validation cycle.

View May 2026 CSPU Request Security Assessment
Monthly Cadence (3rd Tuesday)
CRITICAL Severity Coverage
Targeted Vulnerability Fixes
Next Oracle Security Release
UPCOMING
First Monthly CSPU
May 28, 2026
Oracle introduces monthly Critical Security Patch Updates
May 28, 2026
First Monthly CSPU
CSPU
June 16, 2026
June CSPU
CSPU
July 21, 2026
Quarterly CPU
CPU
August 18, 2026
August CSPU
CSPU
Critical Patch Timeline

Every Oracle Critical Security Release — Tracked

Out-of-band Security Alerts, quarterly Critical Patch Updates (CPUs) and monthly Critical Security Patch Updates (CSPUs). Click any release to drill into its tenant impact analysis.

Emergency Security Alert Quarterly CPU Monthly CSPU Upcoming
Jan 2026
January 2026 CPU
Quarterly · 337 patches
47 zero-auth OFM RCE
View CPU →
Mar 2026
Security Alert
CVE-2026-21992
CVSS 9.8 · OIM RCE
View Alert →
Apr 2026
April 2026 CPU
Quarterly · 481 patches
28 products · 300+ remote
View CPU →
May 28, 2026
First Monthly CSPU
Monthly · 37 advisories
37 Oracle products
View CSPU →
Jun 16, 2026
June CSPU
Upcoming · monthly
3rd Tuesday cadence
Get Notified →
Jul 21, 2026
Q3 CPU
Upcoming · quarterly
Cumulative (incl. CSPUs)
Get Notified →
Aug 18, 2026
August CSPU
Upcoming · monthly
3rd Tuesday cadence
Get Notified →
January 2026 CPU March Security Alert April 2026 CPU May 28 CSPU (Live)
WHY THIS CHANGES EVERYTHING

Oracle Just Shifted to a Monthly Security Cadence

Until now Oracle Fusion customers waited up to 90 days for security fixes through the quarterly CPU. Starting May 28, 2026, Oracle delivers targeted critical-vulnerability fixes every month — a 3× increase in security release frequency. For customer-managed environments, that means 12 security validation cycles per year instead of 4.

Monthly CSPUs
12/year
Quarterly CPUs
4/year
Total Security Releases
16/year
Validation Cycles
3× increase

CSPU vs CPU: What's the Difference?

Both are Oracle security releases — but they serve different operational purposes.

Monthly CSPU

Critical Security Patch Update
  • Cadence: Third Tuesday of every month
  • Focus: Targeted critical vulnerability fixes
  • Scope: Smaller, focused — fewer fixes per release
  • Purpose: Reduce exposure between quarterly cycles
  • First release: May 28, 2026

Quarterly CPU

Critical Patch Update
  • Cadence: Quarterly (Jan, Apr, Jul, Oct)
  • Focus: Comprehensive across all products
  • Scope: Cumulative — includes all prior CSPUs
  • Purpose: Periodic comprehensive security baseline
  • Next release: July 21, 2026

Oracle Security Release Calendar — 2026

Upcoming Oracle CSPU and CPU release dates. Add these to your patch validation calendar.

CSPU
May 28, 2026
First Monthly CSPU
View Analysis
CSPU
June 16, 2026
June CSPU
Analysis available after release
CPU
July 21, 2026
Quarterly CPU
Analysis available after release
CSPU
August 18, 2026
August CSPU
Analysis available after release

Recent Oracle Security Releases

Past Oracle security releases with full SyntraFlow release intelligence analysis.

Emergency Alert · March 2026

CVE-2026-21992 — Identity Manager RCE

Out-of-band emergency Security Alert. CVSS 9.8 critical unauthenticated remote code execution in Oracle Identity Manager (OIM/OIG). Covers 10 affected Oracle identity and middleware components.

CVSS 9.8 CRITICAL 10 components
View Alert Analysis
Quarterly CPU · April 2026

Oracle April 2026 Critical Patch Update

481 security patches across 28 Oracle product families. ~450 unique CVEs, 300+ remotely exploitable without auth. Top patched: Oracle Communications (139), Financial Services (75), Fusion Middleware (59).

481 patches 28 products CPU
View CPU Analysis

What Monthly CSPUs Mean for Your Testing

Operational impact for QA, Release, and Security teams managing Oracle Fusion.

3× More Validation Cycles

Where you previously validated quarterly, you now validate monthly. Without automation, that's 12 manual security regression cycles per year.

Security Surface Coverage

CSPUs touch identity, SSO, OAuth, role-based access and integration auth. Every release needs end-to-end identity flow validation.

Integration Re-Validation

API authentication patches change downstream auth flows. OIC, REST/SOAP, FBDI integrations need re-validation each CSPU.

Faster Decision Cycles

Customer-managed environments need patch impact decisions in days, not weeks. Manual analysis can't keep up with monthly cadence.

Compounding Risk

Skipping one CSPU compounds risk against the next. Continuous validation becomes mandatory, not optional.

Audit Trail Demands

SOX, ISO 27001 and customer audits now require evidence for 16 security releases per year — automated documentation is non-negotiable.

How SyntraFlow Handles Oracle CSPU Monthly Cadence

Release Intelligence built for continuous Oracle security validation.

Real-Time CSPU Monitoring

SyntraFlow ingests every Oracle CSPU as soon as Oracle publishes — typically within hours of the third-Tuesday release.

Tenant-Specific Impact Analysis

Map each CSPU change to your actual roles, customizations, integrations and business processes. No reading through PDFs.

Auto-Composed Regression Pack

SyntraFlow auto-generates a targeted regression test plan covering only what's impacted in your tenant. Run in hours, not days.

Identity & Auth Validation

Pre-built test packs for SSO, MFA, OAuth, RBAC, SoD validation — exactly what every CSPU forces you to revalidate.

Continuous Audit Trail

Every CSPU validation cycle is timestamped, evidenced and exportable for SOX, ISO 27001 and internal audit.

Self-Healing Automation

Tests adapt automatically when Oracle changes selectors, schemas or auth flows — no quarter-after-quarter script maintenance.

Continue exploring Oracle Release Intelligence
Release Intelligence Overview Quarterly Updates Oracle 26A Hub Oracle 26B Hub Release Readiness Update Testing Regression Testing

Oracle CSPU & CPU FAQs

Common questions about Oracle's monthly Critical Security Patch Updates.

What is an Oracle Critical Security Patch Update (CSPU)?
Oracle CSPUs are monthly security patches Oracle introduced in May 2026 to deliver targeted fixes for critical vulnerabilities between the quarterly Critical Patch Updates (CPUs). CSPUs allow customers to address high-priority security issues without waiting for the next quarterly release.
How often does Oracle release CSPUs?
Beginning May 28, 2026, Oracle delivers a CSPU each month. After the initial May release, CSPUs follow a monthly cadence aligned to the third Tuesday of each month — consistent with Oracle's established security release model.
How are CSPUs different from quarterly CPUs?
Monthly CSPUs deliver timely, high-priority fixes for critical issues. Quarterly CPUs remain cumulative — including all fixes released in prior CSPUs. CSPUs complement (not replace) CPUs, giving customer-managed environments faster access to critical security fixes.
When are the upcoming Oracle security release dates?
May 28, 2026 (CSPU — first monthly release), June 16, 2026 (CSPU), July 21, 2026 (Quarterly CPU), August 18, 2026 (CSPU). After May, CSPUs are scheduled on the third Tuesday of each month.
Do Oracle Cloud customers need to apply CSPUs manually?
Customers using Oracle-managed cloud services receive security updates automatically as part of the service. Customer-managed environments must apply CSPUs and CPUs manually — maintaining supported versions and applying updates promptly remains the most effective way to reduce security risk.
How does SyntraFlow help with Oracle CSPU testing?
SyntraFlow Release Intelligence parses each CSPU release as soon as Oracle publishes it, identifies impacted scripts, roles, integrations and business processes in your tenant, and produces a targeted regression test plan. Monthly cadence means continuous, automated security validation — without doubling your testing effort.
What should we test after applying an Oracle CSPU?
Validate login flows (SSO, MFA, OAuth), role-based access controls (RBAC, SoD), API authentication, integration payloads (OIC, REST/SOAP), business-critical transactions (P2P, O2C, R2R), and any customizations that touch security or identity. SyntraFlow ships pre-built CSPU validation packs covering all these areas.

Stay Secure Across Every Oracle Monthly Patch

Get tenant-specific Oracle CSPU and CPU impact analysis with automated regression test packs.

Request Assessment Analyze Security Environment
Release Intelligence Separately-licensed SyntraFlow module

How SyntraFlow Release Intelligence Works

Release Intelligence is a SyntraFlow module that is licensed and priced separately from the core SyntraFlow test automation platform. It pinpoints exactly what each Oracle Fusion quarterly release or critical patch will affect in your tenant — and produces the test scenarios needed to validate it. The workflow runs in five connected steps:

  1. Connects to your Oracle Fusion environment. A secure read-only connection to your live Oracle Fusion tenant ingests setup data, security model, and live transactions — no manual exports, no spreadsheets.
  2. Scans your complete configuration with Config Intelligence. Config Intelligence snapshots every setup object (FSM tasks, profile options, BPM rules, descriptive flexfields, security policies) and compares it against the incoming release.
  3. Reads master & transaction data via DataVault. DataVault profiles your real master data and live transactions so impact analysis is grounded in what your business actually runs — not generic Oracle samples.
  4. Produces a detail-level Impact Map. Cross-references the release notes against your configuration and data to highlight which features, flows, integrations, and reports are at risk — down to the line-level setting or seeded role that changed. See Release Impact Analysis.
  5. Generates test scenarios & remediation report. Outputs ready-to-execute test cases targeting each impacted area, plus a remediation report with the exact steps to update your setup or data so the patch goes live with minimum disruption. Run them with Patch Testing Automation.

Licensing note: Release Intelligence is a standalone SyntraFlow module available as its own subscription, or as an add-on to the SyntraFlow test automation platform. Pricing is separate from the core platform — contact us for module pricing and bundling options.

Related Reading