Released June 16, 2026 · Second Monthly CSPU

Oracle June 2026 CSPU Release Intelligence

Oracle's second monthly Critical Security Patch Update — 245 security patches addressing 243 unique CVEs across 11 Oracle product families. Fusion Middleware carries the largest share at 106 patches (43.3%), followed by E-Business Suite at 55. Around 100 of the 245 patches are remotely exploitable without any authentication.

122 Critical
104 High
15 Medium
11 product families
June 2026 CSPU Snapshot
CRITICAL · JUNE 16
Security Patches
245
Unique CVEs
243
Product Families
11
Remote, No Auth
100
Next Oracle Security Releases
July 21, 2026CPU (cumulative)
August 18, 2026CSPU
September 15, 2026CSPU
RELEASE OVERVIEW

About the Oracle June 2026 CSPU

On June 16, 2026, Oracle shipped its second monthly Critical Security Patch Update (CSPU), following the inaugural May 2026 CSPU. The release contains 245 security patches addressing 243 unique CVEs across 11 Oracle product families — a substantially larger release than May's, and the clearest signal yet that the monthly cadence is carrying real volume rather than token fixes.

The distribution is heavily weighted toward the middleware layer. Oracle Fusion Middleware alone accounts for 106 patches — 43.3% of the entire release — with 53 of those exploitable remotely by an attacker holding no credentials at all. E-Business Suite follows at 55 patches (22.4%). Across all families, roughly 100 of the 245 patches require no authentication to exploit, which is the number worth taking to your change board.

Customers on Oracle-managed cloud services receive these fixes as part of the service. Customer-managed estates — on-premise Fusion Middleware, EBS, PeopleSoft, JD Edwards, Siebel, MySQL and Enterprise Manager — must apply the June 2026 CSPU themselves and validate business flows afterwards. The quarterly CPU on July 21, 2026 is cumulative and will include every May and June CSPU fix, but waiting five weeks on 100 unauthenticated remote vulnerabilities is a risk decision, not a scheduling one.

Security Patches
245
CRITICAL Patches
122
Fusion Middleware
106
E-Business Suite
55
PRIORITY ITEM

The PeopleSoft Zero-Day Behind This Cycle

The June cycle is defined by one vulnerability that Oracle could not wait for. CVE-2026-35273 — an unauthenticated remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools, CVSS 9.8 — was exploited as a zero-day in the wild before any advisory existed. Oracle broke its own cadence and shipped an out-of-band Security Alert and patch on June 10, six days ahead of this CSPU.

Oracle Security Alert · Out-of-band
CVE-2026-35273 — PeopleSoft Enterprise PeopleTools
CVSS 9.8 · EXPLOITED
Weakness
CWE-918 (SSRF)
Affected Versions
PeopleTools 8.61, 8.62
Exploited in Wild
May 27 – June 9, 2026
CISA KEV
Added June 12, 2026

Attribution points to UNC6240 — the financially motivated group publicly known as ShinyHunters. Mandiant confirmed exploitation between May 27 and June 9, meaning attackers held a working exploit for roughly two weeks before defenders had a patch. Of the 100-plus organisations notified, 68% were universities and colleges; stolen data began appearing on the group's leak site on June 9.

Full CVE-2026-35273 analysis, IoCs and mitigation steps

If you patched out-of-band on June 10, CVE-2026-35273 is already closed — but the June CSPU still carries 244 other patches you have not applied. If you did not, treat PeopleTools as an active incident rather than a patching backlog item.

WHERE THE RISK SITS

June 2026 CSPU by Oracle Product Family

All 245 patches, by family, with the count exploitable remotely without authentication — the column that should drive your sequencing.

Oracle Product Family Patches Share Remote / No Auth
Oracle Fusion Middleware10643.3%53
Oracle E-Business Suite5522.4%6
Oracle JD Edwards208.2%12
Oracle Enterprise Manager166.5%6
Oracle Siebel CRM124.9%7
Oracle PeopleSoft114.5%7
Oracle Virtualization104.1%0
Oracle MySQL83.3%4
Oracle Communications31.2%3
Oracle Systems31.2%1
Oracle Supply Chain10.4%1
Total245100%100

Counts reflect Oracle's published June 2026 CSPU advisory. 245 patches address 243 unique CVEs — two CVEs appear in more than one product family.

SEVERITY PROFILE

Half of This Release Is Critical

122 of 245 patches — 49.8% — carry a CRITICAL rating, and a further 104 are HIGH. Together they make up 92% of the release. This is not a cycle you can triage down to a handful of items.

CRITICAL
122
49.8% of release
HIGH
104
42.4% of release
MEDIUM
15
6.1% of release
LOW
4
1.6% of release
READINESS

June 2026 CSPU Readiness Checklist

A defensible sequence for customer-managed Oracle estates, ordered by exposure rather than by product.

STEP 1 — CONTAIN
Confirm PeopleTools exposure first

If you run PeopleTools 8.61 or 8.62 and did not apply the June 10 out-of-band patch, treat it as an incident. Check for exposure of /PSEMHUB/hub and /PSIGW/HttpListeningConnector to untrusted networks before anything else in this cycle.

STEP 2 — SEQUENCE
Patch by unauthenticated exposure, not by family size

Fusion Middleware's 53 unauthenticated-remote patches and JD Edwards' 12 outrank E-Business Suite's 55 total patches, of which only 6 need no credentials. Internet-facing middleware goes first.

STEP 3 — VALIDATE
Regression-test identity and integration paths

Middleware patching disproportionately affects SSO, OAuth, SOAP/REST integration endpoints and gateway routing. These are the flows that break silently after a security patch and surface as a failed month-end rather than a failed login.

STEP 4 — DECIDE
Choose: patch now or wait for July 21

The July 21 CPU is cumulative and will include June's fixes. That is a legitimate option for low-exposure internal systems — and an indefensible one for anything internet-facing carrying unauthenticated RCE. Document the decision either way.

FAQ

June 2026 CSPU FAQs

What is the Oracle June 2026 CSPU?

The June 2026 CSPU, released June 16, 2026, is Oracle's second monthly Critical Security Patch Update. It delivers 245 security patches addressing 243 unique CVEs across 11 Oracle product families, following the first monthly CSPU on May 28, 2026.

Which Oracle products are most affected?

Oracle Fusion Middleware carries 106 patches (43.3% of the release), of which 53 are remotely exploitable without authentication. Oracle E-Business Suite follows with 55 patches (22.4%). JD Edwards, Enterprise Manager, Siebel CRM, PeopleSoft, Virtualization, MySQL, Communications, Systems and Supply Chain make up the remainder.

How severe is the June 2026 CSPU?

122 of the 245 patches (49.8%) are rated CRITICAL and 104 (42.4%) are HIGH — together 92% of the release. Approximately 100 patches are exploitable remotely without any authentication.

Are Oracle Fusion Cloud customers affected by the June 2026 CSPU?

Customers on Oracle-managed cloud services receive these fixes automatically as part of the service. Customer-managed environments — on-premise Fusion Middleware, E-Business Suite, PeopleSoft, JD Edwards, Siebel, MySQL and Enterprise Manager — must apply the CSPU themselves and validate business flows after patching.

Does the June 2026 CSPU include the PeopleSoft zero-day CVE-2026-35273?

Oracle addressed CVE-2026-35273 in an out-of-band Security Alert on June 10, 2026, six days before the June CSPU, because it was already being exploited in the wild. If you applied that emergency patch, the vulnerability is closed; the June CSPU still carries 244 further patches.

Can we skip the June CSPU and wait for the July 2026 CPU?

The quarterly CPU on July 21, 2026 is cumulative and includes all May and June CSPU fixes. Waiting is defensible for low-exposure internal systems, but not for internet-facing components carrying unauthenticated remote code execution. Around 100 of the 245 June patches need no credentials to exploit.

When is the next Oracle CSPU after June 2026?

The quarterly CPU lands July 21, 2026 and is cumulative. The monthly CSPU cadence then resumes on August 18, 2026, followed by September 15, 2026.

Validate the June 2026 CSPU Across Your Oracle Stack

Tenant-specific June 2026 CSPU impact analysis with auto-composed security regression test packs — covering Fusion Cloud and the broader Oracle product portfolio.

Release Intelligence Separately-licensed SyntraFlow module

How SyntraFlow Release Intelligence Works

Release Intelligence is a SyntraFlow module that is licensed and priced separately from the core SyntraFlow test automation platform. It pinpoints exactly what each Oracle Fusion quarterly release or critical patch will affect in your tenant — and produces the test scenarios needed to validate it. The workflow runs in five connected steps:

  1. Connects to your Oracle Fusion environment. A secure read-only connection to your live Oracle Fusion tenant ingests setup data, security model, and live transactions — no manual exports, no spreadsheets.
  2. Scans your complete configuration with Config Intelligence. Config Intelligence snapshots every setup object (FSM tasks, profile options, BPM rules, descriptive flexfields, security policies) and compares it against the incoming release.
  3. Reads master & transaction data via DataVault. DataVault profiles your real master data and live transactions so impact analysis is grounded in what your business actually runs — not generic Oracle samples.
  4. Produces a detail-level Impact Map. Cross-references the release notes against your configuration and data to highlight which features, flows, integrations, and reports are at risk — down to the line-level setting or seeded role that changed. See Release Impact Analysis.
  5. Generates test scenarios & remediation report. Outputs ready-to-execute test cases targeting each impacted area, plus a remediation report with the exact steps to update your setup or data so the patch goes live with minimum disruption. Run them with Patch Testing Automation.

Licensing note: Release Intelligence is a standalone SyntraFlow module available as its own subscription, or as an add-on to the SyntraFlow test automation platform. Pricing is separate from the core platform — contact us for module pricing and bundling options.