Oracle’s April Patch Update Lands With 481 Security Fixes

Oracle has released its April 2026 Critical Patch Update, and it is a big one: 481 new security patches across a wide range of products, including Oracle Database, Fusion Middleware, Java SE, MySQL, E-Business Suite, Enterprise Manager, Financial Services Applications, Communications, and Retail Applications.

As usual with Oracle’s quarterly patch cycle, the update covers both Oracle code and third-party components included in Oracle products. Oracle says the advisories generally describe only the new security fixes added since the previous update, even though the patches themselves are typically cumulative. The company also reiterated its standing warning that attackers continue to target vulnerabilities with existing fixes and urged customers to apply patches without delay.

The largest batch of fixes is in Oracle Communications, which received 139 new patches. Oracle says 93 of those vulnerabilities may be remotely exploitable without authentication. That means an attacker could potentially exploit them over a network without needing user credentials. Several of the listed issues carry CVSS 3.1 base scores of 9.8, a rating that tends to get security teams’ attention quickly.

Oracle Financial Services Applications also saw a large number of fixes, with 75 new patches, including 59 that Oracle says may be remotely exploitable without authentication. The affected products include Oracle Financial Services Analytical Applications Infrastructure, Compliance Studio, Customer Screening, Transaction Filtering, FLEXCUBE, and several Oracle Banking products.

Another major area is Oracle Fusion Middleware, which received 59 new patches. Oracle says 46 of those may be remotely exploitable without authentication. The April update also includes fixes tied to a March 20 security alert involving Oracle Identity Manager and Oracle Web Services Manager, tracked as CVE-2026-21992.

MySQL received 34 new security patches, with three vulnerabilities described as remotely exploitable without authentication. One issue affecting MySQL Enterprise Backup and involving OpenSSL was assigned a CVSS 3.1 base score of 9.8 by Oracle’s risk matrix.

The update also includes 26 patches for Oracle Database Products. The database server itself received eight new fixes, four of which Oracle says may be remotely exploitable without authentication. One patch applies to client-only installations, with Oracle listing CVE-2025-48924 as affecting those deployments.

There are also fixes for several major enterprise application families. Oracle E-Business Suite received 18 patches, Oracle Retail Applications received 15, and Oracle Enterprise Manager received nine. Oracle notes that products such as E-Business Suite and Enterprise Manager may include Oracle Database and Fusion Middleware components, so customers should also pay attention to related patches.

The Java SE section includes vulnerabilities affecting Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Some Java issues are remotely exploitable without authentication, though Oracle’s matrix also distinguishes issues that require local access or user interaction.

For IT and security teams, the practical takeaway is straightforward: this is not a patch cycle to skim. The number of remotely exploitable, unauthenticated vulnerabilities makes prioritization essential, especially for internet-facing systems, middleware, identity tools, communications products, databases, and business-critical applications.

Oracle says customers may be able to temporarily reduce risk by blocking the network protocols needed for an attack, but it frames this as a stopgap rather than a substitute for patching. The company’s recommendation is clear: apply the fixes as soon as possible.

The next scheduled Oracle Critical Patch Updates are set for July 21, 2026, October 20, 2026, January 19, 2027, and April 20, 2027.

Posted by John K. Waters on May 1, 2026