Oracle April 2026 Critical Patch Update Addresses 481 Vulnerabilities
Take action: If you are using Oracle products, review this advisory in detail. Prioritize patching of internet-facing systems, as over 300 vulnerabilities allow remote attackers to compromise your systems without any authentication. Patch Oracle Communications and Fusion Middleware first, since they contain the highest concentration of critical, network-accessible vulnerabilities.
Learn More
Oracle has released its quarterly Critical Patch Update for April 2026 with 481 new security patches fixing issues across 28 product families in the Oracle ecosystem.
The security update addresses vulnerabilities in Oracle's major product families, including Oracle Communications (139 patches), Financial Services Applications (75 patches), Oracle Fusion Middleware (59 patches), MySQL (34 patches), PeopleSoft (21 patches), and Oracle E-Business Suite (18 patches). Roughly three dozen fixes resolve critical-severity security defects.
Critical vulnerabilities (CVSS score 9.8)
- CVE-2025-6965 - affecting Oracle Communications Cloud Native Core Network Exposure Function, allowing remote exploitation without authentication
- CVE-2025-68615 - affecting Oracle Communications EAGLE, Oracle Communications LSMS, Oracle Communications Messaging Server, Oracle Communications Operations Monitor, and Oracle Communications Policy Management, allowing remote exploitation without authentication
- CVE-2026-34275 - affecting Oracle Advanced Inbound Telephony Setup and Administration, allowing remote exploitation without authentication
- CVE-2023-34034 - affecting Oracle Banking Origination Onboarding Batch Processes, allowing remote exploitation without authentication
- CVE-2025-15467 - affecting MySQL Enterprise Backup, MySQL Server, MySQL Workbench, Oracle Communications Cloud Native Core Certificate Management, and PeopleSoft Enterprise PeopleTools, allowing remote exploitation without authentication
- CVE-2026-27727 - affecting Oracle Business Intelligence Enterprise Edition Platform Security, allowing remote exploitation without authentication
Critical vulnerabilities (CVSS score 9.0-9.6)
- CVE-2025-12543 (CVSS score 9.6) - affecting Oracle Communications Cloud Native Core Policy and Oracle Communications Cloud Native Core Unified Data Repository, enabling remote code execution without authentication
- CVE-2024-5535 (CVSS score 9.1) - affecting Oracle Communications Cloud Native Core Network Slice Selection Function, allowing remote exploitation without authentication
- CVE-2023-44981 (CVSS score 9.1) - affecting Oracle Banking Corporate Lending Process Management, Oracle Banking Supply Chain Finance, and Oracle Banking Trade Finance Process Management, allowing remote exploitation without authentication
- CVE-2024-51504 (CVSS score 9.1) - affecting Oracle Enterprise Command Center Framework Core, allowing remote exploitation without authentication
- CVE-2024-6387 (CVSS score 9.0) - affecting Sun ZFS Storage Appliance Kit Firmware subsystem, allowing remote exploitation without authentication
High Severity vulnerabilities (CVSS score 8.0 and above)
- CVE-2025-48734 (CVSS score 8.8) - affecting Oracle Commerce Guided Search, Oracle Advanced Supply Chain Planning, Oracle Banking Corporate Lending Process Management, and Oracle Business Intelligence Enterprise Edition, allowing remote exploitation without authentication
- CVE-2026-34291 (CVSS score 8.7) - affecting Oracle HTTP Server Core, allowing remote exploitation without authentication
- CVE-2024-56406 (CVSS score 8.6) - affecting Oracle Commerce Guided Search Endeca Application Controller and Oracle Enterprise Manager Base Platform, allowing remote exploitation without authentication
- CVE-2026-21997 (CVSS score 8.5) - affecting Oracle Life Sciences Empirica Signal Common Core, allowing remote exploitation without authentication
- CVE-2026-0861 (CVSS score 8.4) - affecting Oracle Communications Cloud Native Core Network Function Cloud Native Environment and Oracle Unified Inventory Management, enabling exploitation by local users
- CVE-2025-58098 (CVSS score 8.3) - affecting Oracle Communications Cloud Native Core Security Edge Protection Proxy and Oracle HTTP Server Core, allowing remote exploitation without authentication
- CVE-2025-32990 (CVSS score 8.2) - affecting Oracle Communications Cloud Native Core Security Edge Protection Proxy and Service Communication Proxy, allowing remote exploitation without authentication
Apart from these flaws, the advisory contains approximately 450 unique CVEs, with hundreds of vulnerabilities patched carrying lower severity scores.
Oracle strongly recommends that customers apply these Critical Patch Update security patches as soon as possible, especially for vulnerabilities that can be exploited remotely without authentication. The company continues to receive reports of successful attacks exploiting previously patched vulnerabilities where customers failed to apply available updates.
The next Critical Patch Updates are scheduled for July 21, 2026, October 20, 2026, January 19, 2027, and April 20, 2027, following Oracle's quarterly release schedule.
