Oracle June 2026 CSPU Release Intelligence
Oracle's second monthly Critical Security Patch Update — 245 security patches addressing 243 unique CVEs across 11 Oracle product families. Fusion Middleware carries the largest share at 106 patches (43.3%), followed by E-Business Suite at 55. Around 100 of the 245 patches are remotely exploitable without any authentication.
About the Oracle June 2026 CSPU
On June 16, 2026, Oracle shipped its second monthly Critical Security Patch Update (CSPU), following the inaugural May 2026 CSPU. The release contains 245 security patches addressing 243 unique CVEs across 11 Oracle product families — a substantially larger release than May's, and the clearest signal yet that the monthly cadence is carrying real volume rather than token fixes.
The distribution is heavily weighted toward the middleware layer. Oracle Fusion Middleware alone accounts for 106 patches — 43.3% of the entire release — with 53 of those exploitable remotely by an attacker holding no credentials at all. E-Business Suite follows at 55 patches (22.4%). Across all families, roughly 100 of the 245 patches require no authentication to exploit, which is the number worth taking to your change board.
Customers on Oracle-managed cloud services receive these fixes as part of the service. Customer-managed estates — on-premise Fusion Middleware, EBS, PeopleSoft, JD Edwards, Siebel, MySQL and Enterprise Manager — must apply the June 2026 CSPU themselves and validate business flows afterwards. The quarterly CPU on July 21, 2026 is cumulative and will include every May and June CSPU fix, but waiting five weeks on 100 unauthenticated remote vulnerabilities is a risk decision, not a scheduling one.
The PeopleSoft Zero-Day Behind This Cycle
The June cycle is defined by one vulnerability that Oracle could not wait for. CVE-2026-35273 — an unauthenticated remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools, CVSS 9.8 — was exploited as a zero-day in the wild before any advisory existed. Oracle broke its own cadence and shipped an out-of-band Security Alert and patch on June 10, six days ahead of this CSPU.
Attribution points to UNC6240 — the financially motivated group publicly known as ShinyHunters. Mandiant confirmed exploitation between May 27 and June 9, meaning attackers held a working exploit for roughly two weeks before defenders had a patch. Of the 100-plus organisations notified, 68% were universities and colleges; stolen data began appearing on the group's leak site on June 9.
Full CVE-2026-35273 analysis, IoCs and mitigation stepsIf you patched out-of-band on June 10, CVE-2026-35273 is already closed — but the June CSPU still carries 244 other patches you have not applied. If you did not, treat PeopleTools as an active incident rather than a patching backlog item.
June 2026 CSPU by Oracle Product Family
All 245 patches, by family, with the count exploitable remotely without authentication — the column that should drive your sequencing.
| Oracle Product Family | Patches | Share | Remote / No Auth |
|---|---|---|---|
| Oracle Fusion Middleware | 106 | 43.3% | 53 |
| Oracle E-Business Suite | 55 | 22.4% | 6 |
| Oracle JD Edwards | 20 | 8.2% | 12 |
| Oracle Enterprise Manager | 16 | 6.5% | 6 |
| Oracle Siebel CRM | 12 | 4.9% | 7 |
| Oracle PeopleSoft | 11 | 4.5% | 7 |
| Oracle Virtualization | 10 | 4.1% | 0 |
| Oracle MySQL | 8 | 3.3% | 4 |
| Oracle Communications | 3 | 1.2% | 3 |
| Oracle Systems | 3 | 1.2% | 1 |
| Oracle Supply Chain | 1 | 0.4% | 1 |
| Total | 245 | 100% | 100 |
Counts reflect Oracle's published June 2026 CSPU advisory. 245 patches address 243 unique CVEs — two CVEs appear in more than one product family.
Half of This Release Is Critical
122 of 245 patches — 49.8% — carry a CRITICAL rating, and a further 104 are HIGH. Together they make up 92% of the release. This is not a cycle you can triage down to a handful of items.
June 2026 CSPU Readiness Checklist
A defensible sequence for customer-managed Oracle estates, ordered by exposure rather than by product.
If you run PeopleTools 8.61 or 8.62 and did not apply the June 10 out-of-band patch, treat it as an incident. Check for exposure of /PSEMHUB/hub and /PSIGW/HttpListeningConnector to untrusted networks before anything else in this cycle.
Fusion Middleware's 53 unauthenticated-remote patches and JD Edwards' 12 outrank E-Business Suite's 55 total patches, of which only 6 need no credentials. Internet-facing middleware goes first.
Middleware patching disproportionately affects SSO, OAuth, SOAP/REST integration endpoints and gateway routing. These are the flows that break silently after a security patch and surface as a failed month-end rather than a failed login.
The July 21 CPU is cumulative and will include June's fixes. That is a legitimate option for low-exposure internal systems — and an indefensible one for anything internet-facing carrying unauthenticated RCE. Document the decision either way.
June 2026 CSPU FAQs
The June 2026 CSPU, released June 16, 2026, is Oracle's second monthly Critical Security Patch Update. It delivers 245 security patches addressing 243 unique CVEs across 11 Oracle product families, following the first monthly CSPU on May 28, 2026.
Oracle Fusion Middleware carries 106 patches (43.3% of the release), of which 53 are remotely exploitable without authentication. Oracle E-Business Suite follows with 55 patches (22.4%). JD Edwards, Enterprise Manager, Siebel CRM, PeopleSoft, Virtualization, MySQL, Communications, Systems and Supply Chain make up the remainder.
122 of the 245 patches (49.8%) are rated CRITICAL and 104 (42.4%) are HIGH — together 92% of the release. Approximately 100 patches are exploitable remotely without any authentication.
Customers on Oracle-managed cloud services receive these fixes automatically as part of the service. Customer-managed environments — on-premise Fusion Middleware, E-Business Suite, PeopleSoft, JD Edwards, Siebel, MySQL and Enterprise Manager — must apply the CSPU themselves and validate business flows after patching.
Oracle addressed CVE-2026-35273 in an out-of-band Security Alert on June 10, 2026, six days before the June CSPU, because it was already being exploited in the wild. If you applied that emergency patch, the vulnerability is closed; the June CSPU still carries 244 further patches.
The quarterly CPU on July 21, 2026 is cumulative and includes all May and June CSPU fixes. Waiting is defensible for low-exposure internal systems, but not for internet-facing components carrying unauthenticated remote code execution. Around 100 of the 245 June patches need no credentials to exploit.
The quarterly CPU lands July 21, 2026 and is cumulative. The monthly CSPU cadence then resumes on August 18, 2026, followed by September 15, 2026.
Validate the June 2026 CSPU Across Your Oracle Stack
Tenant-specific June 2026 CSPU impact analysis with auto-composed security regression test packs — covering Fusion Cloud and the broader Oracle product portfolio.
How SyntraFlow Release Intelligence Works
Release Intelligence is a SyntraFlow module that is licensed and priced separately from the core SyntraFlow test automation platform. It pinpoints exactly what each Oracle Fusion quarterly release or critical patch will affect in your tenant — and produces the test scenarios needed to validate it. The workflow runs in five connected steps:
- Connects to your Oracle Fusion environment. A secure read-only connection to your live Oracle Fusion tenant ingests setup data, security model, and live transactions — no manual exports, no spreadsheets.
- Scans your complete configuration with Config Intelligence. Config Intelligence snapshots every setup object (FSM tasks, profile options, BPM rules, descriptive flexfields, security policies) and compares it against the incoming release.
- Reads master & transaction data via DataVault. DataVault profiles your real master data and live transactions so impact analysis is grounded in what your business actually runs — not generic Oracle samples.
- Produces a detail-level Impact Map. Cross-references the release notes against your configuration and data to highlight which features, flows, integrations, and reports are at risk — down to the line-level setting or seeded role that changed. See Release Impact Analysis.
- Generates test scenarios & remediation report. Outputs ready-to-execute test cases targeting each impacted area, plus a remediation report with the exact steps to update your setup or data so the patch goes live with minimum disruption. Run them with Patch Testing Automation.
Licensing note: Release Intelligence is a standalone SyntraFlow module available as its own subscription, or as an add-on to the SyntraFlow test automation platform. Pricing is separate from the core platform — contact us for module pricing and bundling options.