Released April 15, 2026 · Quarterly CPU

Oracle April 2026 CPU Release Intelligence

481 security patches across 28 Oracle product families — approximately 450 unique CVEs, with over 300 remotely exploitable without authentication. This is Oracle's last quarterly CPU before the monthly CSPU cadence begins on May 28, 2026.

Analyze April CPU Impact Back to CSPU Hub
6 Critical
18 High
3 Med-High
28 product families
April 2026 CPU Snapshot
QUARTERLY CPU
Total Patches
481
Unique CVEs
~450
Remote Exploit
300+
Product Families
28
Top Patched Products
Oracle Communications
139
Oracle Financial Services Applications
75
Oracle Fusion Middleware
59
CONSOLIDATED STATS

April 2026 CPU at a Glance

Oracle's April 2026 Critical Patch Update is one of the largest quarterly security releases of the year — covering 28 Oracle product families with approximately 450 unique vulnerabilities patched. Over 300 of those vulnerabilities are remotely exploitable without authentication, meaning attackers can target unpatched systems directly over the network.

Total Security Patches
481
Across 28 products
Unique CVEs
~450
Vulnerabilities fixed
Remote Exploit (Unauth)
300+
No credentials required
Product Families
28
Covered by this CPU

Top Patched Oracle Products — April 2026

Three Oracle product families account for the largest share of April 2026 CPU patches — prioritise these for impact analysis and regression scope.

Oracle Communications
139
security patches · 28% of CPU total
Oracle Financial Services Applications
75
security patches · 15% of CPU total
Oracle Fusion Middleware
59
security patches · 12% of CPU total

All April 2026 CPU Product Advisories

Per-product-family security advisories from the April 2026 Critical Patch Update. Each card summarises the impact for that product family — affected components and recommended validations.

Oracle Communications
CRITICAL

Network & Telecom Security Fixes

Type: Security / Infrastructure Immediate patching required

What changed: 139 security patches including 93 remotely exploitable vulnerabilities

Why it matters: Largest patch category in April CPU (Security Boulevard)

Pages: Admin Consoles
APIs: Telecom APIs
ESS Jobs: Network Monitoring Jobs
Config: Network Security Policies
Processes: Telecom Routing & Billing
Test Cases: SIP validationAPI securitytelecom workflow regression
Data Objects: SBCPolicy ServersMessaging Nodes
Oracle Financial Services Applications
CRITICAL

Banking & Financial Controls Security

Type: Security / Banking Customer-action-required

What changed: 75 security patches across banking products

Why it matters: High exposure for financial institutions (Security Boulevard)

Pages: Banking Dashboards
APIs: Banking APIs
ESS Jobs: Financial Batch Jobs
Config: Banking Security Profiles
Processes: Banking Transactions
Test Cases: Payment testingbanking integration testing
Data Objects: LoansBanking Accounts
Oracle Fusion Middleware
CRITICAL

Middleware Security Hardening

Type: Security / Middleware Immediate patching recommended

What changed: 59 security fixes including WebLogic/OAM vulnerabilities

Why it matters: Identity and middleware layers widely exposed (Oracle)

Pages: Login & SSO Pages
APIs: WebLogic APIs
ESS Jobs: Middleware Jobs
Config: OAuthSSO Policies
Processes: Enterprise Authentication
Test Cases: SSO testingmiddleware validation
Data Objects: DomainsOAM Policies
Oracle MySQL
HIGH

Database Security Updates

Type: Security / Database Customer-managed

What changed: 34 security patches across MySQL ecosystem

Why it matters: Databases are core integration backbone (Oracle)

Pages: DB Consoles
APIs: JDBC/APIs
ESS Jobs: ETL Jobs
Config: DB Security Policies
Processes: Reporting & Integrations
Test Cases: DB connectivity and ETL validation
Data Objects: MySQL DB Objects
Oracle PeopleSoft
HIGH

ERP Security & Access Updates

Type: Security / ERP Customer validation required

What changed: 21 patches affecting PeopleSoft applications

Why it matters: ERP systems are high-value targets (Tenable®)

Pages: HR & Finance Pages
APIs: PeopleSoft APIs
ESS Jobs: Batch Processing Jobs
Config: Security Roles
Processes: HR & Finance Processes
Test Cases: Role testingpayroll validation
Data Objects: EmployeesRoles
Oracle E-Business Suite
HIGH

Legacy ERP Security Fixes

Type: Security / ERP Customer patching required

What changed: 18 security patches for EBS environments

Why it matters: Critical for on-prem ERP customers (Tenable®)

Pages: OA Framework Pages
APIs: EBS APIs
ESS Jobs: Concurrent Requests
Config: Profile Options
Processes: Financial Transactions
Test Cases: Responsibility & workflow validation
Data Objects: ResponsibilitiesConcurrent Programs
Oracle Analytics
HIGH

BI & Reporting Security

Type: Security / Reporting Auto-applied partially

What changed: 15 patches for analytics stack

Why it matters: Reporting layers expose sensitive enterprise data (Tenable®)

Pages: BI Publisher
APIs: Analytics APIs
ESS Jobs: BI Schedulers
Config: Analytics Security
Processes: Reporting & Forecasting
Test Cases: Dashboard validationreport execution
Data Objects: ReportsDashboards
Oracle Retail Applications
CRITICAL

Retail Platform Security

Type: Security / Retail Immediate validation required

What changed: 15 remotely exploitable vulnerabilities

Why it matters: Retail systems often internet-facing (Tenable®)

Pages: Retail Workbench
APIs: Retail APIs
ESS Jobs: Inventory Jobs
Config: Retail Configurations
Processes: Retail Operations
Test Cases: POS validationinventory sync testing
Data Objects: POSInventory
Oracle Siebel CRM
HIGH

CRM Security Updates

Type: Security / CRM Customer-managed

What changed: 14 patches affecting CRM workflows

Why it matters: CRM holds sensitive customer information (Tenable®)

Pages: CRM Dashboards
APIs: Siebel APIs
ESS Jobs: CRM Batch Jobs
Config: CRM Security Profiles
Processes: Sales & Customer Service
Test Cases: Opportunity workflow testing
Data Objects: AccountsOpportunities
Oracle Java SE
CRITICAL

Java Runtime Vulnerabilities

Type: Security / Runtime Immediate update recommended

What changed: 11 patches including critical JVM vulnerabilities

Why it matters: Java underpins Oracle enterprise stack (Tenable®)

Pages: Java Applications
APIs: Java APIs
ESS Jobs: Java Services
Config: JVM Policies
Processes: All Java-based enterprise apps
Test Cases: JVM startup and integration testing
Data Objects: Java Runtime Libraries
Oracle GoldenGate
HIGH

Data Replication Security

Type: Security / Integration Customer validation recommended

What changed: 10 security patches for replication components

Why it matters: Replication failures impact DR and integrations (Qualys)

Pages: Replication Dashboards
APIs: Replication APIs
ESS Jobs: CDC Jobs
Config: Replication Rules
Processes: Data Synchronization
Test Cases: Replication failover testing
Data Objects: GoldenGate Streams
Oracle Enterprise Manager
HIGH

Enterprise Monitoring Security

Type: Security / Monitoring Customer patching required

What changed: 9 security fixes for EM platform

Why it matters: Enterprise monitoring often privileged (Oracle)

Pages: Enterprise Manager UI
APIs: EM APIs
ESS Jobs: Monitoring Jobs
Config: Monitoring Policies
Processes: Infra Monitoring
Test Cases: Agent health and dashboard testing
Data Objects: EM AgentsTargets
Oracle Virtualization
HIGH

Virtualization Security

Type: Security / Infrastructure Recommended

What changed: 9 virtualization-related patches

Why it matters: Hypervisor compromise impacts all workloads (Tenable®)

Pages: VM Consoles
APIs: Virtualization APIs
ESS Jobs: VM Scheduler Jobs
Config: VM Security Rules
Processes: Virtual Infrastructure
Test Cases: VM startup and migration testing
Data Objects: HypervisorsVM Policies
Oracle Database Server
CRITICAL

Oracle DB Security Fixes

Type: Security / Database Immediate patching recommended

What changed: 8 database vulnerabilities fixed

Why it matters: Central system of record for ERP (oradba.ch)

Pages: DB Consoles
APIs: SQLNet APIs
ESS Jobs: Backup Jobs
Config: DB Security Profiles
Processes: Core ERP Transactions
Test Cases: SQL executionbackup recovery testing
Data Objects: TablespacesUsers
Oracle Utilities Applications
HIGH

Utility Sector Security

Type: Security / Industry Apps Customer-managed

What changed: 7 security fixes for utility apps

Why it matters: Utilities are critical infrastructure (Tenable®)

Pages: Utility Dashboards
APIs: Utility APIs
ESS Jobs: Meter Jobs
Config: Utility Configurations
Processes: Utility Billing
Test Cases: Billing and integration validation
Data Objects: MeteringBilling
Oracle Hyperion
HIGH

Financial Planning Security

Type: Security / Finance Customer validation

What changed: 6 Hyperion security fixes

Why it matters: Financial planning data highly sensitive (Tenable®)

Pages: Hyperion Workspace
APIs: Hyperion APIs
ESS Jobs: Financial Calc Jobs
Config: Planning Rules
Processes: Budgeting & Forecasting
Test Cases: Cube calculation testing
Data Objects: EssbasePlanning Objects
Oracle Construction & Engineering
MEDIUM-HIGH

Construction App Security

Type: Security / Industry Apps Customer-managed

What changed: 4 security patches

Why it matters: Project systems manage large capital data (Tenable®)

Pages: Project Dashboards
APIs: Construction APIs
ESS Jobs: Project Batch Jobs
Config: Project Security
Processes: Project Lifecycle
Test Cases: Contract approval testing
Data Objects: ContractsProjects
Oracle Life Science Applications
HIGH

Life Science Security

Type: Security / Compliance Recommended

What changed: 4 security patches for life science apps

Why it matters: Compliance-heavy industry exposure (Tenable®)

Pages: Clinical Dashboards
APIs: Life Science APIs
ESS Jobs: Clinical Jobs
Config: Compliance Rules
Processes: Clinical Operations
Test Cases: Regulatory workflow validation
Data Objects: TrialsLab Data
Oracle Supply Chain
HIGH

SCM Security Fixes

Type: Security / Supply Chain Auto-applied partially

What changed: 4 patches impacting supply chain systems

Why it matters: Supply chain outages impact operations (Tenable®)

Pages: SCM Work Areas
APIs: SCM APIs
ESS Jobs: Inventory Jobs
Config: SCM Configurations
Processes: Procurement & Fulfillment
Test Cases: Order lifecycle testing
Data Objects: InventoryOrders
Oracle Blockchain Platform
HIGH

Blockchain Security

Type: Security / Distributed Ledger Customer-managed

What changed: 3 security fixes for blockchain services

Why it matters: Blockchain integrity is critical (Qualys)

Pages: Blockchain Consoles
APIs: Blockchain APIs
ESS Jobs: Ledger Jobs
Config: Blockchain Policies
Processes: Distributed Transactions
Test Cases: Smart contract validation
Data Objects: LedgersSmart Contracts
Oracle Commerce
HIGH

Commerce Platform Security

Type: Security / eCommerce Recommended

What changed: 3 commerce-related vulnerabilities fixed

Why it matters: Public-facing commerce systems exposed (Tenable®)

Pages: Commerce Storefronts
APIs: Commerce APIs
ESS Jobs: Pricing Jobs
Config: Commerce Rules
Processes: Online Ordering
Test Cases: Checkout and pricing validation
Data Objects: CatalogsOrders
Oracle JD Edwards
HIGH

JDE Security Updates

Type: Security / ERP Customer-managed

What changed: 3 security patches for JDE

Why it matters: Legacy ERP often poorly patched (Oracle)

Pages: JDE Consoles
APIs: JDE APIs
ESS Jobs: UBEs
Config: JDE Security Roles
Processes: ERP Operations
Test Cases: UBE and role validation
Data Objects: Finance & Manufacturing Data
Oracle Adapter for Eclipse RDF4J
MEDIUM

RDF4J Integration Security

Type: Security / Developer Tools Optional

What changed: 2 security vulnerabilities fixed

Why it matters: Impacts semantic integration layers (Oracle)

Pages: Developer Consoles
APIs: RDF APIs
ESS Jobs: Semantic Jobs
Config: RDF Configurations
Processes: Semantic Integrations
Test Cases: RDF query validation
Data Objects: RDF Repositories
Oracle Autonomous Health Framework
MEDIUM-HIGH

Autonomous Infra Security

Type: Security / Infrastructure Recommended

What changed: 2 security fixes for AHF

Why it matters: Health telemetry systems are privileged (Qualys)

Pages: AHF Dashboards
APIs: Diagnostic APIs
ESS Jobs: Health Jobs
Config: Health Policies
Processes: Infra Monitoring
Test Cases: Diagnostics and telemetry validation
Data Objects: Diagnostic Data
Oracle REST Data Services
HIGH

REST Services Security

Type: Security / APIs Immediate validation

What changed: 2 REST Data Services vulnerabilities fixed

Why it matters: REST APIs expose ERP data externally (Tenable®)

Pages: REST Consoles
APIs: ORDS APIs
ESS Jobs: ORDS Jobs
Config: OAuth Configurations
Processes: REST Integrations
Test Cases: API authentication and CRUD testing
Data Objects: ORDS Configurations
Oracle Systems
HIGH

Engineered Systems Security

Type: Security / Hardware Recommended

What changed: 2 security patches for systems stack

Why it matters: Infrastructure compromise impacts enterprise stack (Tenable®)

Pages: Hardware Consoles
APIs: System APIs
ESS Jobs: Infra Jobs
Config: Hardware Policies
Processes: Infra Operations
Test Cases: Hardware failover validation
Data Objects: ExadataSPARC
Oracle TimesTen In-Memory Database
MEDIUM-HIGH

In-Memory DB Security

Type: Security / Database Customer-managed

What changed: 1 TimesTen vulnerability fixed

Why it matters: Used in high-speed transactional systems (Tenable®)

Pages: DB Consoles
APIs: DB APIs
ESS Jobs: Cache Jobs
Config: Cache Security Policies
Processes: Real-time Transactions
Test Cases: Cache sync and query validation
Data Objects: Cache Tables
Oracle Hospitality Applications
HIGH

Hospitality Platform Security

Type: Security / Hospitality Recommended

What changed: 1 hospitality application vulnerability fixed

Why it matters: Hospitality systems often process payment data (Tenable®)

Pages: Hospitality Dashboards
APIs: Hospitality APIs
ESS Jobs: Reservation Jobs
Config: Hospitality Configurations
Processes: Reservation & POS Operations
Test Cases: Booking and POS testing
Data Objects: ReservationsPOS

Affected Components Across April 2026 CPU

Deduplicated inventory of components impacted by the April 2026 CPU. Use these as your regression scope baseline.

Affected Pages

26
AHF Dashboards Admin Consoles BI Publisher Banking Dashboards Blockchain Consoles CRM Dashboards Clinical Dashboards Commerce Storefronts DB Consoles Developer Consoles Enterprise Manager UI HR & Finance Pages Hardware Consoles Hospitality Dashboards Hyperion Workspace JDE Consoles Java Applications Login & SSO Pages OA Framework Pages Project Dashboards REST Consoles Replication Dashboards Retail Workbench SCM Work Areas Utility Dashboards VM Consoles

Affected APIs

28
Analytics APIs Banking APIs Blockchain APIs Commerce APIs Construction APIs DB APIs Diagnostic APIs EBS APIs EM APIs Hospitality APIs Hyperion APIs JDBC/APIs JDE APIs Java APIs Life Science APIs ORDS APIs PeopleSoft APIs RDF APIs Replication APIs Retail APIs SCM APIs SQLNet APIs Siebel APIs System APIs Telecom APIs Utility APIs Virtualization APIs WebLogic APIs

Recommended Test Cases

36
API authentication and CRUD testing API security Agent health and dashboard testing Billing and integration validation Booking and POS testing Cache sync and query validation Checkout and pricing validation Contract approval testing Cube calculation testing DB connectivity and ETL validation Dashboard validation Diagnostics and telemetry validation Hardware failover validation JVM startup and integration testing Opportunity workflow testing Order lifecycle testing POS validation Payment testing RDF query validation Regulatory workflow validation Replication failover testing Responsibility & workflow validation Role testing SIP validation SQL execution SSO testing Smart contract validation UBE and role validation VM startup and migration testing backup recovery testing banking integration testing inventory sync testing middleware validation payroll validation report execution telecom workflow regression

Oracle April 2026 CPU FAQs

Common questions about the April 2026 quarterly Critical Patch Update.

What is the Oracle April 2026 CPU?
The Oracle April 2026 Critical Patch Update (CPU) is Oracle's quarterly security release for April 2026 — containing 481 security patches across 28 Oracle product families. CPUs are cumulative, including all prior security fixes, and remain the primary mechanism for comprehensive security baselines.
How many vulnerabilities did the April 2026 CPU fix?
The April 2026 CPU addresses approximately 450 unique vulnerabilities — including over 300 flaws that are remotely exploitable without authentication. These are the most urgent class of fixes because attackers can exploit them over the network without credentials.
Which Oracle products had the most patches in April 2026?
Oracle Communications led with 139 security patches, followed by Oracle Financial Services Applications (75 patches) and Oracle Fusion Middleware (59 patches). All 28 covered product families received fixes — Database Server, Java SE, MySQL, E-Business Suite, PeopleSoft, JD Edwards, Siebel, Analytics, Hyperion, GoldenGate, REST Data Services, Communications, Retail, Hospitality, Life Sciences, Supply Chain, Construction & Engineering, Utilities, Commerce, Blockchain, Virtualization, Systems, TimesTen, Enterprise Manager, Financial Services and the Autonomous Health Framework.
How is the April 2026 CPU different from CSPUs?
Quarterly CPUs (like April 2026) are cumulative and comprehensive — they include every fix Oracle has released since the last CPU, across the entire product portfolio. Monthly CSPUs (starting May 28, 2026) are targeted, smaller releases for critical issues between quarterly cycles. April 2026 is the last CPU before the new CSPU monthly cadence begins.
What testing is needed after applying the April 2026 CPU?
For each impacted Oracle product: validate login flows and SSO, role-based access controls, API authentication, integration payloads, key transactional flows (P2P, O2C, R2R), product-specific journeys (EBS forms, PeopleSoft self-service, JD Edwards screens, Siebel processes, Database queries, Java app behaviour). SyntraFlow's release intelligence auto-composes a targeted regression plan for each product.
Which April 2026 CPU patches are highest priority?
Highest priority: the 300+ remotely exploitable, unauthenticated vulnerabilities — these can be attacked over the network without credentials and represent the largest exposure surface. Within those, prioritise products exposed to the internet (Oracle Communications, REST Data Services, WebLogic, Fusion Middleware) and identity infrastructure (IAM, OAuth, SCIM).

Validate the April 2026 CPU Across Your Oracle Stack

Tenant-specific April 2026 CPU impact analysis with auto-composed regression test packs — covering all 28 Oracle product families.

Request Assessment Analyze CPU Impact