Oracle Goes Monthly: First CSPU, 35 Patches Including CVSS 10.0 (May 2026)
On May 28, 2026, Oracle switched its quarterly CPU to a monthly CSPU. The first wave shipped 35 patches, including a CVSS 10.0 in Oracle REST Data Services (CVE-2026-46840), 12 for E-Business Suite, 3 for Database, and 1 for Hospitality OPERA 5. The Cl0p E-Business Suite zero-day campaign is the backdrop.
Makoto Horikawa
Backend Engineer / AWS / Django
On May 28, 2026, Oracle switched its quarterly CPU to a monthly CSPU. The first wave shipped 35 patches, including a CVSS 10.0 in Oracle REST Data Services (CVE-2026-46840), 12 for E-Business Suite, 3 for Database, and 1 for Hospitality OPERA 5. The Cl0p E-Business Suite zero-day campaign is the backdrop.
On May 28, 2026, Oracle switched its quarterly Critical Patch Update (CPU) to a monthly cadence and shipped its first Critical Security Patch Update (CSPU) with 35 security patches. One is a CVSS 10.0 (CVE-2026-46840, Oracle REST Data Services); eleven of them score 9.0 or higher; twelve land on E-Business Suite alone.
The official cspumay2026.html advisory went live the same day. For SIers and enterprise teams running Oracle E-Business Suite as their HR, finance, procurement, or sales-management backbone, "monthly patch planning" has arrived at the door together with a maximum-severity vulnerability — a workload reality the old quarterly CPU never imposed.
The backdrop is the Cl0p ransomware group's mass exploitation of Oracle E-Business Suite (CVE-2025-61882) that ran from August 2025. A quarterly cadence left a multi-week-to-multi-month gap between a CISA warning and the next CPU, and Oracle decided that was untenable. Oracle's official blog describes monthly CSPUs as "smaller and more focused," and disclosed that Anthropic's Claude and OpenAI's models are now embedded in Oracle's vulnerability detection and response workflows.
Oracle CSPU May 2026 — what shipped, at a glance
A single table summarizing the first monthly CSPU by product line. E-Business Suite dominates the count; ORDS carries the CVSS 10.0.
| Product line | Count | Top CVSS | Unauth. RCE? | Where it lives |
|---|---|---|---|---|
| Oracle REST Data Services (ORDS) | 3 | 10.0 (CVE-2026-46840) | ✅ Yes | REST API gateway for Oracle DB |
| Oracle E-Business Suite | 12 | 9.9 (CVE-2026-46822/ 46824) | 3 of 12 are unauth. | HR, finance, procurement, sales backbone |
| Oracle Database Server | 3 | 9.0 (CVE-2026-46833) | ✅ Yes (AC:H) | Finance, public sector, SI |
| Oracle Hospitality OPERA 5 | 1 | 9.8 (CVE-2026-34311) | ✅ Yes | Global hotel chain reservation / PMS |
| Others (various) | 16 | — | — | — |
| Total | 35 | 10.0 | — | — |
The unauthenticated, network-reachable ones are typically hit through internet-facing ORDS APIs, or post-intrusion lateral movement once an attacker is already on the internal network. ORDS at CVSS 10.0 means complete system takeover; if a working exploit hits the wild during the gap before customers patch, the blast radius is severe.
Why Oracle switched from quarterly to monthly
Oracle's quarterly CPU has run on the third Tuesday of January, April, July, and October for over two decades — an industry-standard cadence that fit neatly into enterprise customers' once-a-quarter maintenance windows.
Then 2025 H2 happened. The Cl0p ransomware group mass-exploited a zero-day in the Concurrent Processing component of Oracle E-Business Suite (later assigned CVE-2025-61882, CVSS 9.8), exfiltrating data from multiple large enterprises. Oracle published an emergency alert; CISA added it to the KEV (Known Exploited Vulnerabilities) catalog. But until the next quarterly CPU, every E-Business Suite operator worldwide sat in a "we have no patch to apply" window.
Monthly CSPUs are designed to shrink that window to "at most 30 days." Oracle's official announcement frames them as "smaller and more focused," but for operators this means swapping "quarterly spring cleaning" for "twelve small patch waves a year," with twelve test plans and twelve maintenance windows. Oracle also explicitly stated that Anthropic's Claude and OpenAI's models are now part of its vulnerability detection pipeline — AI-accelerated triage is effectively a prerequisite for going monthly.
The quarterly CPU does not go away. Monthly CSPUs run alongside it. The next quarterly CPU is scheduled for July 2026, so the May–June–July window will see two CSPUs and one CPU stacked back-to-back.
Why CVE-2026-46840 (ORDS, CVSS 10.0) is the must-fix today
CVSS 10.0 is the theoretical maximum of CVSS v3.1; it only appears when every metric maxes out. The exact profile here is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — network, low complexity, no auth, no user interaction, scope change, full impact on confidentiality, integrity, and availability.
Oracle REST Data Services (ORDS) is Oracle's official gateway for exposing Oracle Database tables, views, and stored procedures as REST endpoints. Many shops put ORDS in front of "internal DB → external API" and "internal web app → DB" data flows, which means the blast radius isn't ORDS itself — it propagates to the Oracle Database behind it. The S:C (scope change) flag in the CVSS vector encodes exactly this propagation.
Affected ORDS versions are 24.2.0 — 26.1.0. ORDS commonly sits in the DMZ or behind a public load balancer, putting a CVSS 10.0 hole directly on internet-reachable infrastructure with no authentication wall. Patches are distributed via My Oracle Support; registered customers should log in immediately and pull the relevant Patch Set Update.
Who wants this CSPU release — the attackers waiting for May 28
Attackers targeting Oracle have professionalized sharply over the past year, led by Cl0p. The release of CSPU #1 is, from the attacker side, the starting gun of the "race to weaponize before customers patch." Who they are, what they want, and how far they take it — concretely.
The buyers and operators currently sizing up this CSPU are concrete people: Cl0p and Cl0p-rebadged Eastern-European ransomware affiliates, industrial-espionage crews chasing finance and HR data inside Japanese and US enterprises running E-Business Suite, card-fraud rings hunting hotel reservation systems and stored card data, and double-extortion operators who want full Oracle Database snapshots as ransom leverage. What they actually pull out is not abstract — for a Japanese enterprise, that means the HR database of every employee's salary and bonus, the procurement database of supplier master records and payment terms, the sales database of unpublished order backlog, the cost-accounting module's internal margins, scanned PDFs of approvals and signed contracts, and the finance team's bank-transfer templates. The moment one externally-reachable CVE in this CSPU is triggered, every record above is copied to the attacker's side.
Reconnaissance is heavily automated. A Shodan query for response bodies containing ords/ or /OA_HTML/ enumerates exposed E-Business Suite and ORDS instances; cross-referencing the CSPU release date and the affected component names produces a mechanical "list of targets to try in the next 7 days." Cl0p demonstrated in 2025 that they can hit production E-Business Suite environments even before public PoCs exist; this time they're racing to extract value out of the gap between CSPU release and customer rollout. Monthly cadence narrows that gap, but it also means "the first week of each month is now a hot zone" for every Oracle shop.
CVSS 10.0 is just the technical ceiling for "one server taken over." What an enterprise actually loses is the month-end financial close data, pre-earnings-announcement financials, the cost structure of the company's top-margin product line, the multi-year SAP-to-Oracle migration plan, and — for hotel chains — the loyalty program data and stay history of millions of guests. Teams that lived through Cl0p's 2025 Oracle E-Business Suite campaign know exactly why this first monthly CSPU is not something to read as a far-away event.
Three-layer blast-radius table
By Oracle deployment pattern, what this CSPU reaches and what it doesn't.
| Deployment | In reach | Out of reach (needs another CVE) |
|---|---|---|
| Mid-tier SI operating many customer tenants | ✅ DMZ ORDS instances ✅ Customer EBS Payments / Procurement ✅ Oracle Database connection strings | ❌ Customer-side ADF / SSO ❌ Adjacent systems run by a different SI |
| Enterprise backbone EBS (self-operated) | ✅ All HR / finance / procurement / sales masters ✅ Month-end close data ✅ Bank transfer templates ✅ Performance metrics | ❌ Hypervisor ❌ Active Directory (reachable through open egress, though) |
| Hotel / travel OPERA 5 | ✅ All reservation records ✅ Stay history ✅ Loyalty program member DB ✅ Check-in/out logs | ❌ PCI DSS-compliant card vault (if tokenization layer is upstream) |
The mid-tier SI case is especially sharp: one compromised ORDS instance can leak connection strings for many downstream customer databases at once. Given how contractual liability is divided, the SI's response speed feeds directly into customer indemnity exposure.
Per-CVE notes for the Criticals
Per-CVE notes for CVSS 9.0 and above. Authoritative per-CVE details live in the Oracle advisory.
CVE-2026-46840: ORDS, unauthenticated RCE (CVSS 10.0)
Hits ORDS 24.2.0 — 26.1.0 with AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. HTTPS-reachable, no auth needed. The scope-change flag means the impact propagates from ORDS to the Oracle Database it fronts. Top priority for this CSPU.
CVE-2026-46775: ORDS, authenticated full takeover (CVSS 9.9)
Same ORDS version range. A low-privileged authenticated attacker can take over ORDS via HTTPS. Patch alongside CVE-2026-46840.
CVE-2026-46839: ORDS, privilege escalation (CVSS 9.9)
Third ORDS 24.2.0 — 26.1.0 finding. A low-privileged user gets full confidentiality, integrity, and availability impact. Three ORDS criticals in one release, all 9.9 or higher.
CVE-2026-46822: E-Business Suite iAssets (CVSS 9.9)
EBS 12.2.3 — 12.2.15, iAssets (fixed-asset management) component. HTTP-reachable, low-privileged attacker takes over. iAssets is widely used in Japanese listed companies' finance systems.
CVE-2026-46824: E-Business Suite Universal Work Queue (CVSS 9.9)
Same EBS range. Work Provider Site Level Administration is the entry path. Scope-change flag means impact escapes Universal Work Queue and reaches adjacent components.
CVE-2026-46817: E-Business Suite Payments (CVSS 9.8)
EBS 12.2.3 — 12.2.15 Payments / File Transmission, unauthenticated, HTTP-reachable. Full impact on confidentiality, integrity, and availability. Because Payments handles settlement, a successful hit lands harder than other EBS components.
CVE-2026-46819: E-Business Suite Internet Procurement Connector (CVSS 9.1)
Same EBS range, Internet Procurement Connector. Unauthenticated remote attack enabling create/delete/modify on critical data. Availability is untouched (A:N), but write-tampering procurement records is a financial-audit problem on its own.
CVE-2026-46833: Oracle Database Server Net Service (CVSS 9.0)
Oracle Database Server 23.4.0 — 23.26.2, Net Service component. TLS-reachable, unauthenticated, but high attack complexity (AC:H). Scope change reaches Oracle Database itself — top priority for finance, public sector, and major SI teams.
CVE-2026-34311: Hospitality OPERA 5 (CVSS 9.8)
Oracle Hospitality OPERA 5 Property Services 5.6.19.24 / 5.6.22 / 5.6.25.19 / 5.6.27.6 / 5.6.28. Unauthenticated remote attack. OPERA 5 is the reservation/PMS backbone for global hotel chains; on a successful hit, every reservation record and loyalty profile is exposed.
Other EBS High CVEs (CVE-2026-46820 / 46826 / 46827 / 46837)
Four EBS High issues in the 8.5 — 8.8 range: Financials Common Modules (46820), Payroll Internal Operations (46826), Payroll Self Service Manager (46827), Flow Manufacturing (46837). All require low-privileged authenticated access; Payroll in particular is a fast path to every employee's personal information and bank details — HR departments should treat it as same-week urgent.
Three structural changes monthly CSPUs bring to operations
Monthly cadence isn't just "patches 4× more often." It restructures the maintenance workflow in three ways.
| Change | Quarterly CPU era | Monthly CSPU era |
|---|---|---|
| Maintenance windows | 4 / year, each large patch wave (tens of CVEs) | 12 / year, each small patch wave (5–10 CVEs) |
| Test plan | Quarterly, 2–4 weeks of full testing | Monthly, 3–5 days of lightweight testing |
| SI service contracts | Quarterly patch application fee (monthly-amortized) | Monthly patch application — must renegotiate |
In Japan, many SI-customer Oracle service contracts priced "quarterly CPU application" as the unit of work; the monthly CSPU change immediately triggers contract review. IT departments should re-check the "Oracle patch application" clauses in their existing contracts.
Five things to do this week
If you operate Oracle E-Business Suite, ORDS, or Oracle Database, work through these in order.
| # | Action | What that actually means |
|---|---|---|
| 1 | ORDS emergency patch | Pull the ORDS CSPU from My Oracle Support and apply to DMZ-deployed instances first. |
| 2 | Verify EBS 12.2.3 — 12.2.15 | If your EBS is in this range, identify patch numbers for Payments / iAssets / Universal Work Queue. |
| 3 | Review SI service contracts | Reframe the "Oracle patch application" clauses from quarterly assumption to monthly cadence; prepare renegotiation terms. |
| 4 | Tighten WAF around DMZ ORDS | Until patches land, tighten ORDS API auth checks, block unused HTTP methods, throttle rate limits. |
| 5 | Make monthly CSPU calendar operational | Add the 4th Wednesday of each month (Oracle's monthly CSPU release date) to your standing review, and restructure patch planning monthly. |
Since 2025's Cl0p campaign, Oracle E-Business Suite has an established economic incentive for attackers. Existing E-Business Suite entries in the CISA KEV catalog make it clear this is not a "wait for the next monthly CSPU" situation.
Closing — monthly is not "easier," it's "less hiding room"
Oracle's monthly CSPU shift is not a comfort move for customers. It is a turning point that lays bare the defender's bind: Oracle has to compress its window-of-exposure against Cl0p-class operators from quarterly down to monthly. CSPU #1 already carrying a CVSS 10.0 and eleven Criticals can also be read as the result of Oracle's new AI-assisted internal vulnerability detection — long-dormant issues are surfacing all at once.
For Japanese SIers, enterprise IT departments, and core-business operations teams, this CSPU is the operational question of "how do you ride the monthly cadence?" Quarterly-based service contracts, change-management processes, and test-effort allocations all need rebuilding before the next monthly CSPU (planned June 2026) arrives.
Monthly CSPUs run alongside the quarterly CPU, which next ships in July 2026. The May CSPU, June CSPU, and July CPU stack up across the early summer — before that summer is over, every Oracle operator will have to make a full transition decision.
References
- ▸ Oracle - Critical Security Patch Update Advisory: May 2026 (released May 28, 2026; first monthly CSPU)
- ▸ Oracle official blog - Monthly Critical Security Patch Updates Begin May 28, 2026
- ▸ Help Net Security - Oracle rolls out monthly security patch updates (May 5, 2026)
- ▸ NVD - CVE-2026-46840 (ORDS, CVSS 10.0)
- ▸ NVD - CVE-2026-46775 (ORDS, CVSS 9.9)
- ▸ NVD - CVE-2026-46839 (ORDS, CVSS 9.9)
- ▸ NVD - CVE-2026-46822 (E-Business Suite iAssets, CVSS 9.9)
- ▸ NVD - CVE-2026-46824 (E-Business Suite Universal Work Queue, CVSS 9.9)
- ▸ NVD - CVE-2026-46817 (E-Business Suite Payments, CVSS 9.8)
- ▸ NVD - CVE-2026-46819 (E-Business Suite Internet Procurement Connector, CVSS 9.1)
- ▸ NVD - CVE-2026-46833 (Oracle Database Server Net Service, CVSS 9.0)
- ▸ NVD - CVE-2026-34311 (Oracle Hospitality OPERA 5, CVSS 9.8)
- ▸ Oracle Security Alert - CVE-2025-61882 (the Cl0p E-Business Suite zero-day)
- ▸ HIPAA Journal - Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite
- ▸ Security Affairs - Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers