Released May 28, 2026 · First Monthly CSPU

Oracle May 2026 CSPU Release Intelligence

Oracle's first monthly Critical Security Patch Update — 37 security advisories across 37 Oracle products. Covers Oracle Fusion Cloud + the broader Oracle portfolio (Database, Java SE, MySQL, EBS, PeopleSoft, JD Edwards, Siebel, Middleware, Hyperion, GoldenGate and more).

Analyze May CSPU Impact Back to CSPU Hub

9 Critical

23 High

4 Med-High

37 products

May 2026 CSPU Snapshot

CRITICAL · MAY 28

Total Advisories

CRITICAL

Oracle Products

Fusion Modules

Next Oracle Security Releases

June 16, 2026CSPU

July 21, 2026CPU

August 18, 2026CSPU

RELEASE OVERVIEW

About the Oracle May 2026 CSPU

On May 28, 2026, Oracle launched the first monthly Critical Security Patch Update (CSPU) — establishing a new monthly cadence that complements the existing quarterly Critical Patch Update (CPU). This release contains 37 security advisories spanning 37 Oracle products: 9 affecting Oracle Fusion Cloud directly and 28 covering the broader Oracle stack (Database, Java SE, MySQL, EBS, PeopleSoft, JD Edwards, Siebel, Middleware, Analytics, Hyperion, etc.).

Customers using Oracle-managed cloud services receive these updates automatically. Customer-managed environments — including on-premise installations, hybrid landscapes, and customer-patched Oracle products — must apply the May 2026 CSPU manually and validate critical business flows after patching.

Total Advisories

CRITICAL Items

Fusion Cloud Items

Broader Oracle Items

PART 1 — ORACLE FUSION CLOUD

Fusion Cloud Security Changes

9 security advisories affecting Oracle Fusion Cloud modules — Identity, Integration, Automation Framework, and core ERP modules.

Platform Security

CRITICAL

Monthly Critical Security Patch Updates (CSPU) Introduction

Type: Security / Patch Management Customer-managed environments must apply

What changed: Oracle introduces monthly CSPUs for critical vulnerabilities between quarterly CPUs

Why it matters: Monthly security cadence increases frequency of regression/security validation requirements

Pages: All Fusion pages

APIs: All public APIs

ESS Jobs: All scheduled jobs

Config: Security ConsoleSSOIAMOAuth Config

Processes: End-to-end ERP transactions

Test Cases: Login validationrole access testingAPI authenticationregression testing

Data Objects: UsersRolesPrivilegesIntegrations

Payables

HIGH

Security Hardening for AP Transactions

Type: Security / Process Auto-applied in Oracle Cloud

What changed: Security fixes may impact invoice processing, approvals, and integrations

Why it matters: Security patches can impact invoice workflows and approval routing

Pages: Create InvoiceManage Invoices

APIs: AP Invoice REST APIs

ESS Jobs: Import Payables InvoicesValidate Payables Invoices

Config: Approval RulesAP System Options

Processes: Invoice ProcessingApprovalValidation

Test Cases: Create Standard InvoiceApproval FlowInvoice ValidationREST API validation

Data Objects: Supplier MasterInvoice HeadersPayment Methods

Payments

HIGH

Payment Security Controls

Type: Security / Integration Customer review recommended

What changed: Payment and banking security fixes likely included in CSPUs

Why it matters: Payment interfaces are highly sensitive to security patches

Pages: Payments DashboardCreate Payment Process Requests

APIs: Payments REST APIs

ESS Jobs: Create Payment Instructions

Config: Payment Process Profiles

Processes: Payment Execution and Transmission

Test Cases: PPR creationpayment approvalbank file generation

Data Objects: Internal BanksPayment Methods

Procurement

HIGH

Supplier & Procurement Access Security

Type: Security / Access Control Auto-applied in SaaS

What changed: Procurement role/access vulnerabilities may be patched

Why it matters: Procurement integrations often rely on role-based access

Pages: Purchase OrdersSupplier Portal

APIs: Procurement REST APIs

ESS Jobs: Import Purchasing Documents

Config: Procurement BU Security

Processes: Supplier onboarding and PO approvals

Test Cases: Supplier registrationPO approvalrole access validation

Data Objects: Supplier SitesPO Headers

Receivables

HIGH

AR Security & Integration Updates

Type: Security / API Auto-applied in SaaS

What changed: CSPUs may include fixes affecting customer transactions and AR integrations

Why it matters: AR APIs and imports are commonly impacted by security changes

Pages: Create TransactionReceipts Work Area

APIs: Receivables REST APIs

ESS Jobs: AutoInvoice Import

Config: AutoAccounting Rules

Processes: Billing and Receipt Processing

Test Cases: Create transactionreceipt applicationAutoInvoice import

Data Objects: Customer AccountsReceipts

General Ledger

HIGH

GL Access & Posting Security

Type: Security / Role Management Customer-managed validation required

What changed: Security fixes may impact posting privileges and accounting access

Why it matters: GL security impacts financial control compliance

Pages: JournalsAccount Monitor

APIs: GL REST APIs

ESS Jobs: Posting Journals

Config: Ledger OptionsSecurity Rules

Processes: Journal Posting and Close

Test Cases: Journal creationpostingperiod close validation

Data Objects: Journal BatchesLedgers

Integration

CRITICAL

OAuth / SSO / API Security Enhancements

Type: Security / Authentication Customer validation recommended

What changed: Oracle highlights accelerated vulnerability remediation and AI-assisted detection

Why it matters: Authentication failures are common after security updates

Pages: Login PagesIntegration Endpoints

APIs: All Fusion REST/SOAP APIs

ESS Jobs: Integration ESS jobs

Config: SSOOAuthIDCS

Processes: Integration Authentication

Test Cases: OAuth token validationSSO loginAPI connectivity tests

Data Objects: OAuth ClientsIDCS Configurations

Automation Framework

MEDIUM-HIGH

Selenium / UI Automation Stability

Type: UI / Security Customer-action-required

What changed: Security updates may alter page DOM, headers, redirects, and session handling

Why it matters: Frequent CSPUs increase automation maintenance effort

Pages: All Redwood and Classic pages

APIs: Automated API integrations

ESS Jobs: Scheduled automation jobs

Config: Browser PoliciesCSP Headers

Processes: Automated ERP Testing

Test Cases: Selenium locator validationlogin replayworkflow regression

Data Objects: XPath/Object Repository

Identity & Access

CRITICAL

AI-Accelerated Vulnerability Detection

Type: Security / Infrastructure Informational

What changed: Oracle using AI models to improve vulnerability detection and remediation cadence

Why it matters: Faster security remediation means more frequent enterprise validation cycles

Pages: Security Console

APIs: IAM APIs

ESS Jobs: User Sync Jobs

Config: Role MappingsSSO Policies

Processes: User provisioning and authentication

Test Cases: Role provisioningsegregation of duties testing

Data Objects: UsersRolesPrivileges

PART 2 — BROADER ORACLE PORTFOLIO

Oracle Stack Security Advisories

28 security advisories covering Oracle products beyond Fusion Cloud — Database, Java SE, MySQL, Middleware, EBS, PeopleSoft, JD Edwards, Siebel, Analytics, Hyperion, GoldenGate and more.

Oracle Communications

CRITICAL

Monthly critical security readiness

Type: Security / Infrastructure Customer patching

What changed: Validate telecom platform after targeted CSPU

Pages: Highest patch exposure in April CPU

Data Objects: SIP/API regressionadmin loginservice restart

Oracle Financial Services Applications

CRITICAL

Banking security readiness

Type: Security / Banking Customer patching

What changed: Validate banking apps and batch controls

Pages: Financial platforms are high-risk

Data Objects: Payment workflowbatchAPI auth

Oracle Fusion Middleware

CRITICAL

Middleware hardening

Type: Security / Middleware Customer patching

What changed: Validate WebLogic/OAM/SSO stack

Pages: Middleware affects Fusion access

Data Objects: SSOOAM redirectWebLogic health

Oracle MySQL

HIGH

Database security readiness

Type: Security / Database Customer patching

What changed: Validate DB and connector compatibility

Pages: Database layer supports apps

Data Objects: JDBCbackupETLquery smoke test

Oracle PeopleSoft

HIGH

PeopleSoft ERP readiness

Type: Security / ERP Customer patching

What changed: Validate roles, pages, batch jobs

Pages: ERP access can break after patches

Data Objects: Loginrole accesspayroll batch

Oracle E-Business Suite

HIGH

EBS security readiness

Type: Security / ERP Customer patching

What changed: Validate responsibilities and concurrent jobs

Pages: Critical for legacy ERP

Data Objects: Responsibility accessconcurrent program

Oracle Analytics

HIGH

BI security readiness

Type: Security / Reporting Customer patching

What changed: Validate dashboards, reports, schedules

Pages: Reports expose sensitive data

Data Objects: DashboardBI Publisherscheduler

Oracle Retail Applications

CRITICAL

Retail security readiness

Type: Security / Retail Customer patching

What changed: Validate POS/order/inventory flows

Pages: Retail systems may be public-facing

Data Objects: POSorderinventory sync

Oracle Siebel CRM

HIGH

CRM security readiness

Type: Security / CRM Customer patching

What changed: Validate CRM object access and APIs

Pages: Customer data exposure risk

Data Objects: Account/opportunity workflowAPI auth

Oracle Java SE

CRITICAL

Java runtime patching

Type: Security / Runtime Customer patching

What changed: Validate Java-dependent workloads

Pages: Java underpins Oracle stack

Data Objects: JVM startupapp regression

Oracle GoldenGate

HIGH

Replication security readiness

Type: Security / Integration Customer patching

What changed: Validate replication and CDC

Pages: Data sync failures affect DR

Data Objects: Extract/replicatlagfailover

Oracle Enterprise Manager

HIGH

Monitoring platform readiness

Type: Security / Monitoring Customer patching

What changed: Validate agents and targets

Pages: EM has privileged access

Data Objects: Agent uploadtarget statusalerts

Oracle Virtualization

HIGH

Virtualization security readiness

Type: Security / Infrastructure Customer patching

What changed: Validate VM hosts and migrations

Pages: Hypervisor risk impacts all workloads

Data Objects: VM bootmigrationsnapshot

Oracle Database Server

CRITICAL

Database server readiness

Type: Security / Database Customer patching

What changed: Validate DB patch and app connectivity

Pages: Database is system of record

Data Objects: SQLbackuplistenerapp login

Oracle Utilities Applications

HIGH

Utility app readiness

Type: Security / Industry Customer patching

What changed: Validate metering/billing flows

Pages: Critical infrastructure exposure

Data Objects: Meter importbillingAPI test

Oracle Hyperion

HIGH

Planning security readiness

Type: Security / Finance Customer patching

What changed: Validate Essbase/planning workloads

Pages: Financial planning data sensitive

Data Objects: Cube calcSmart Viewworkflow

Oracle Construction & Engineering

MEDIUM-HIGH

Project app readiness

Type: Security / Industry Customer patching

What changed: Validate project/contract workflows

Pages: Capital project data risk

Data Objects: Contract approvalproject dashboard

Oracle Life Science Applications

HIGH

Compliance app readiness

Type: Security / Compliance Customer patching

What changed: Validate clinical/compliance workflows

Pages: Regulated data exposure

Data Objects: Trial workflowaudit trail

Oracle Supply Chain

HIGH

SCM readiness

Type: Security / SCM Customer patching

What changed: Validate inventory/order flows

Pages: Supply-chain disruption risk

Data Objects: Orderinventoryprocurement API

Oracle Blockchain Platform

HIGH

Blockchain readiness

Type: Security / Ledger Customer patching

What changed: Validate node/API operations

Pages: Integrity-sensitive platform

Data Objects: Node healthledger API

Oracle Commerce

HIGH

Commerce readiness

Type: Security / eCommerce Customer patching

What changed: Validate storefront/checkout APIs

Pages: Public-facing attack surface

Data Objects: Checkoutpricingcatalog sync

Oracle JD Edwards

HIGH

JDE readiness

Type: Security / ERP Customer patching

What changed: Validate roles and UBEs

Pages: Legacy ERP patch risk

Data Objects: UBErolefinance process

Oracle Adapter for Eclipse RDF4J

MEDIUM

RDF integration readiness

Type: Security / Developer Tools Customer patching

What changed: Validate RDF repositories/APIs

Pages: Integration dependency risk

Data Objects: RDF queryrepository access

Oracle Autonomous Health Framework

MEDIUM-HIGH

AHF readiness

Type: Security / Infrastructure Customer patching

What changed: Validate diagnostics and telemetry

Pages: Diagnostic tools are privileged

Data Objects: AHF collectionuploadalerts

Oracle REST Data Services

HIGH

ORDS readiness

Type: Security / API Customer patching

What changed: Validate REST endpoints and auth

Pages: APIs expose enterprise data

Data Objects: OAuthCRUDendpoint regression

Oracle Systems

HIGH

Engineered systems readiness

Type: Security / Hardware Customer patching

What changed: Validate system firmware/infra stack

Pages: Platform compromise affects apps

Data Objects: Failoverconsole loginmonitoring

Oracle TimesTen In-Memory Database

MEDIUM-HIGH

TimesTen readiness

Type: Security / Database Customer patching

What changed: Validate cache and sync workloads

Pages: Used in low-latency systems

Data Objects: Cache syncSQLfailover

Oracle Hospitality Applications

HIGH

Hospitality readiness

Type: Security / Hospitality Customer patching

What changed: Validate reservations/POS flows

Pages: Payment/customer data exposure

Data Objects: BookingPOSpayment interface

Affected Components Across May 2026 CSPU

Deduplicated inventory of components impacted by the May 2026 CSPU. Use these as your regression scope baseline.

Affected Pages

APIs expose enterprise data Account Monitor All Fusion pages All Redwood and Classic pages Capital project data risk Create Invoice Create Payment Process Requests Create Transaction Critical for legacy ERP Critical infrastructure exposure Customer data exposure risk Data sync failures affect DR Database is system of record Database layer supports apps Diagnostic tools are privileged EM has privileged access ERP access can break after patches Financial planning data sensitive Financial platforms are high-risk Highest patch exposure in April CPU Hypervisor risk impacts all workloads Integration Endpoints Integration dependency risk Integrity-sensitive platform Java underpins Oracle stack Journals Legacy ERP patch risk Login Pages Manage Invoices Middleware affects Fusion access Payment/customer data exposure Payments Dashboard Platform compromise affects apps Public-facing attack surface Purchase Orders Receipts Work Area Regulated data exposure Reports expose sensitive data Retail systems may be public-facing Security Console Supplier Portal Supply-chain disruption risk Used in low-latency systems

Affected APIs

AP Invoice REST APIs All Fusion REST/SOAP APIs All public APIs Automated API integrations GL REST APIs IAM APIs Payments REST APIs Procurement REST APIs Receivables REST APIs

Affected ESS Jobs

All scheduled jobs AutoInvoice Import Create Payment Instructions Import Payables Invoices Import Purchasing Documents Integration ESS jobs Posting Journals Scheduled automation jobs User Sync Jobs Validate Payables Invoices

Affected Config Objects

AP System Options Approval Rules AutoAccounting Rules Browser Policies CSP Headers IAM IDCS Ledger Options OAuth OAuth Config Payment Process Profiles Procurement BU Security Role Mappings SSO SSO Policies Security Console Security Rules

Affected Business Processes

Approval Automated ERP Testing Billing and Receipt Processing End-to-end ERP transactions Integration Authentication Invoice Processing Journal Posting and Close Payment Execution and Transmission Supplier onboarding and PO approvals User provisioning and authentication Validation

Recommended Test Cases

API authentication API connectivity tests Approval Flow AutoInvoice import Create Standard Invoice Create transaction Invoice Validation Journal creation Login validation OAuth token validation PO approval PPR creation REST API validation Role provisioning SSO login Selenium locator validation Supplier registration bank file generation login replay payment approval period close validation posting receipt application regression testing role access testing role access validation segregation of duties testing workflow regression

May 2026 CSPU Readiness Checklist

Tick these off before applying to production.

Identify which Oracle environments are customer-managed (Fusion + broader stack: Database, Java SE, MySQL, EBS, PeopleSoft, JD Edwards, Siebel, Middleware, etc.)

Review impacted Identity, SSO, OAuth and MFA flows in non-production

Validate role-based access controls (RBAC) and Segregation of Duties (SoD)

Test API authentication for OIC integrations and REST/SOAP endpoints

Patch Java SE runtimes used by Oracle applications and custom JVM workloads

Validate Oracle Database and MySQL clusters with the latest CPU/CSPU fixes

Re-run regression tests for P2P, O2C, R2R and core ERP transactions

Confirm Procurement, Payables and Receivables workflows still function

Validate PeopleSoft, JD Edwards, Siebel and EBS flows where in scope

Schedule production patch window aligned with business cutover constraints

Document validation evidence for SOX / ISO 27001 / internal audit trails

May 2026 CSPU FAQs

Common questions about Oracle's first monthly CSPU release.

What is the Oracle May 2026 CSPU?

The Oracle May 2026 CSPU (released May 28, 2026) is Oracle's first monthly Critical Security Patch Update — establishing a new monthly cadence for delivering targeted fixes between quarterly Critical Patch Updates (CPUs). It covers vulnerabilities across Oracle's full product portfolio.

Which Oracle products does the May 2026 CSPU cover?

The May 2026 CSPU covers 37 Oracle products spanning Fusion Cloud (Payables, Receivables, GL, Procurement, Payments, Identity & Access, Integration, Automation Framework, Platform Security) plus the broader Oracle portfolio: Database Server, Java SE, MySQL, E-Business Suite, PeopleSoft, JD Edwards, Siebel CRM, Fusion Middleware, Analytics, Hyperion, GoldenGate, REST Data Services, Communications, Retail, Hospitality, Life Sciences, Supply Chain, Construction & Engineering, Utilities, Commerce, Blockchain, Virtualization, Systems, TimesTen, Enterprise Manager, Financial Services and the Autonomous Health Framework.

What's the severity breakdown for May 2026 CSPU?

Oracle flagged 9 of the 37 security advisories as CRITICAL, 23 as HIGH and 4 as MEDIUM-HIGH. CSPUs prioritise high-impact security vulnerabilities — every release item requires validation in customer-managed environments.

Are Oracle Cloud customers affected by May 2026 CSPU?

Customers using Oracle-managed cloud services receive these updates automatically as part of the service. Customer-managed environments — on-premise Oracle deployments, hybrid landscapes, Java SE installations, MySQL clusters, EBS/PeopleSoft/JD Edwards instances, etc. — must apply the May 2026 CSPU manually and validate critical business flows.

What should we validate after applying May 2026 CSPU?

Validate identity flows (login, SSO, MFA, OAuth), role-based access (RBAC, SoD), API authentication and integration payloads, core ERP transactions, and product-specific flows for each impacted Oracle product (Java apps, Database access, MySQL clusters, EBS forms, PeopleSoft self-service, etc.). SyntraFlow ships pre-built CSPU validation packs covering all areas.

When is the next CSPU after May 2026?

June 16, 2026 is the next monthly CSPU. The quarterly CPU on July 21, 2026 will be cumulative — including all May and June CSPU fixes. August 18, 2026 brings the following CSPU.

Validate the May 2026 CSPU Across Your Oracle Stack

Tenant-specific May 2026 CSPU impact analysis with auto-composed security regression test packs — covering Fusion Cloud and the broader Oracle product portfolio.

Request Assessment Analyze CSPU Impact