Oracle Communications, Fusion Middleware, MySQL, E-Business Suite and Financial Services lead 483 new security patches.

–URGENT ACTION REQUIRED–

5-minute read  

Highlights

• Oracle’s April 2026 CPU ships 483 new security patches – one of the largest CPUs on record.
• No CVSS 10.0 this quarter, but multiple CVSS 9.8 vulnerabilities are remotely exploitable without authentication.
• Fusion Middleware fixes CVE-2026-21992 (CVSS 9.8) – Oracle Identity Manager / Web Services Manager unauthenticated RCE, first shipped in the March out-of-band alert.
• MySQL (34), E-Business Suite (18), Financial Services and PeopleSoft (21) all receive new patches – attacker focus on EBS and Identity Manager remains elevated after Cl0p / KEV activity in late 2025.
• Java SE: 12 patches, 8 remotely exploitable, max CVSS 7.5 – availability impact primarily; Waratek RASP mitigates JVM-level attack classes without waiting for a full upgrade.
• Action: Apply the April CPU immediately on internet-facing Fusion Middleware and EBS; contact [email protected] to confirm which RASP rules already cover your stack.

Commentary

The Oracle Critical Patch Update (CPU) for April 2026 contains 483 new security patches addressing vulnerabilities in Oracle code and third-party components across more than two dozen product families. This is one of the largest Oracle CPUs on record and includes fixes already staged by Oracle’s out-of-band March 2026 security alert for CVE-2026-21992. Oracle strongly recommends immediate application of these patches due to continued reports of in-the-wild exploitation attempts against recent Oracle vulnerabilities.

Waratek RASP customers may already be protected by a Waratek RASP rule from attacks attempting to exploit these vulnerabilities. Contact [email protected] for more specific information about how the April 2026 Oracle Critical Patch Update may impact your applications.

Critical CVSS Summary (Score 9.0 +)

Several product families carry multiple vulnerabilities with a CVSS base score of 9.8 – remotely exploitable over the network without authentication – and should be treated as top patching priorities.

CVE ID	CVSS	Affected Product Families	Vulnerability Impact
CVE-2026-21992	9.8	Fusion Middleware (Identity Manager, Web Services Manager)	Unauthenticated remote code execution (out-of-band March alert rolled into CPU).
CVE-2026-21962	9.8	Fusion Middleware, Oracle Communications (HTTP Server / WebLogic / SBC)	Remote exploitation of Proxy Plug-in affecting multiple product families.
Multiple	9.8	Oracle Communications (137 patches; 91 remotely exploitable)	Largest patched family in this CPU; several unauthenticated RCE vectors.
Multiple	9.8	Oracle MySQL (34 new patches)	Critical third-party component flaws remotely exploitable without auth.
Multiple	9.8	Oracle Financial Services Applications	Unauthenticated network-accessible vulnerabilities.
Multiple	9.8	Oracle E-Business Suite (18 patches; 8 remotely exploitable)	Continued focus area after October 2025 zero-day exploitation.

Focus Area: Key Product Families

Oracle Communications

Oracle Communications received 137 new security patches, of which 91 are remotely exploitable without authentication – the largest single-family patch batch in this CPU.

• Highest Severity: CVSS 9.8 across multiple Communications products, including Operations Monitor, Session Border Controller and Unified Assurance. Several of the underlying flaws stem from shared third-party components (e.g. HTTP Server / Proxy Plug-in, valkey) that are also patched in Fusion Middleware.
• Operational Risk: Network-facing signaling and telemetry planes are exposed. Service providers and carrier-grade deployments should prioritize patching immediately.

Oracle Fusion Middleware

Fusion Middleware received 59 new security patches, with 46 being remotely exploitable without authentication.

• Highest Severity: CVE-2026-21992 (CVSS 9.8) affecting Oracle Identity Manager (REST WebServices) and Oracle Web Services Manager (Web Services Security). This flaw was first disclosed as an out-of-band alert on March 20, 2026 after the closely related CVE-2025-61757 was added to CISA’s KEV catalog in November 2025. An unauthenticated attacker can obtain network access via HTTP and remotely execute code.
• Widespread Risk: Additional CVSS 9.8 issues affect WebLogic Server, HTTP Server and Oracle Access Manager, driven by flaws in Apache and OpenSSL-adjacent components. Customers running externally-reachable Fusion Middleware endpoints should treat this CPU as urgent.

Oracle MySQL

Oracle MySQL received 34 new security patches with a highest CVSS base score of 9.8. Vulnerabilities impact MySQL Server, MySQL Cluster, MySQL Connectors and MySQL Enterprise Monitor.

• Infrastructure Risk: Issues primarily involve third-party components (OpenSSL, libxml2, zlib / zstd style chains) and protocol-level defects. Several are remotely exploitable without authentication and carry high availability impact.

Oracle E-Business Suite (EBS)

EBS includes 18 new security patches, with 8 remotely exploitable without authentication. The highest CVSS base score affecting EBS is 9.8.

• Key Vulnerability: High-severity issues again affect EBS-facing web components – continuing a pattern that began with the October 2025 EBS zero-day (CVE-2025-61882) exploited by the Cl0p group. Customers should assume attacker focus remains elevated on EBS.
• Dependency Warning: EBS relies on Database and Fusion Middleware; customers must apply relevant patches to those underlying components as well.

Oracle Financial Services Applications

Oracle Financial Services Applications is patched with a highest CVSS score of 9.8. Multiple components across the FLEXCUBE, Banking and Analytical Applications suites are affected by third-party component flaws that can be exploited without authentication.

• Regulatory / Audit Risk: Financial institutions subject to PCI, DORA and local banking regulations should treat these CVSS 9.8 findings as gating items for their next compliance window.

Oracle PeopleSoft

PeopleSoft received 21 new security patches, of which 7 are remotely exploitable without authentication. The highest CVSS base score affecting PeopleSoft is 8.8 – down from January’s 10.0 score driven by the Apache Tika XXE flaw.

• Dependency Warning: PeopleSoft deployments are heavily influenced by the underlying Fusion Middleware and MySQL / Database patches; January’s CVSS 10.0 exposures remain a priority if they were not yet applied.

Oracle Java SE

Java SE contains 12 new security patches, of which 8 are remotely exploitable without authentication. Affected releases include Oracle Java SE 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.1, 25.0.2 and 26.

• Max Score: 5 CVSS across the affected Java SE components, with impact primarily to availability.
• Affected Components: Vulnerabilities concentrate in Security (JSSE, PKI), Networking / HTTP client, and Hotspot. Environments using mutual TLS, JNDI lookups into untrusted stores, or long-lived JVM processes should review exposure.
• Waratek RASP (formerly Waratek Secure) customers can continue to mitigate classes of JVM-level attacks (deserialization, expression-language injection, SSRF via URL handlers, and runtime class-loading abuse) without waiting for a full Java upgrade cycle.

Threat Intelligence: Active Attacks and Zero-Days

• Recent Zero-Day Context: The April 2026 CPU is the first regular CPU to ship after the Cl0p-led exploitation of Oracle E-Business Suite (CVE-2025-61882) in October 2025 and the KEV-listed exploitation of Oracle Identity Manager (CVE-2025-61757) in November 2025. Attacker interest in Oracle middleware and EBS remains elevated.
• Out-of-Band Fix Rolled In: CVE-2026-21992 (CVSS 9.8) – Oracle Identity Manager and Web Services Manager unauthenticated RCE – was first shipped as an emergency patch on March 20, 2026 and is now folded into the April CPU. Customers who deferred the March hotfix must not defer further.

For More Information

Waratek Customers should contact [email protected] for more specific information about the April 2026 Oracle Critical Patch Update.

If you are interested in how Waratek can block attacks against known and Zero Day vulns and help patch / protect your applications with no downtime or source code changes, schedule a demo.

Full Oracle advisory: https://www.oracle.com/security-alerts/cpuapr2026.html