Oracle Releases January 2026 Patch Update Fixing 337 Security Flaws in Multiple Products
Take action: If you are using Oracle products, review this advisory in detail. Prioritize parching of internet-facing systems, as several vulnerabilities allow remote attackers to compromise your systems without any authentication. Test patches in a development environment first if possible, but don't delay deployment - Oracle continues to see successful attacks on systems where customers failed to apply previous patches.
Learn More
Oracle has released its quarterly Critical Patch Update for January 2026 with 337 new security patches fixing issues in the Oracle product ecosystem.
The security update addresses vulnerabilities in Oracle's major product families, including Oracle Database Server versions 19.3-19.29, 21.3-21.20, and 23.4.0-23.26.0; Oracle Java SE versions affecting 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1; MySQL Server versions 8.0.0-8.0.44, 8.4.0-8.4.7, and 9.0.0-9.5.0; Oracle WebLogic Server versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0; and Oracle E-Business Suite versions 12.2.3-12.2.15.
Critical vulnerabilities (CVSS score 10.0)
- CVE-2025-66516 - affecting Oracle Business Process Management Suite Runtime Engine, Oracle Middleware Common Libraries and Tools, Oracle Commerce Guided Search Workbench, PeopleSoft Enterprise PeopleTools OpenSearch, Oracle Communications Order and Service Management Security, and Oracle Communications Unified Assurance Core, allowing remote exploitation without authentication
- CVE-2026-21962 - affecting Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in for Apache HTTP Server and IIS, enabling remote exploitation without authentication
Critical vulnerabilities (CVSS score 9.8)
- CVE-2025-54988 - affecting Oracle Business Process Management Suite Oracle Business Rules, allowing remote exploitation without authentication
- CVE-2025-4949 - affecting Oracle Data Integrator Security and Oracle Fusion Middleware Oracle Database Client for Fusion Middleware, enabling remote code execution without authentication
- CVE-2025-54874 - affecting Oracle Outside In Technology Core and Oracle Spatial and Graph, allowing remote exploitation without authentication
- CVE-2021-43113 - affecting Primavera Unifier Reports, enabling remote code execution without authentication
- CVE-2026-21969 - affecting Oracle Agile Product Lifecycle Management for Process Supplier Portal, allowing remote exploitation without authentication
- CVE-2024-52046 - affecting Oracle Health Sciences Information Manager XAD-PID Change Management, allowing remote exploitation without authentication
- CVE-2025-6965 - affecting Oracle NoSQL Database Administration, MySQL Server Docker Images, PeopleSoft Enterprise PeopleTools Porting, and Siebel CRM Cloud Applications Siebel Cloud Manager, allowing remote exploitation without authentication
Critical vulnerabilities (CVSS score 9.1-9.9)
- CVE-2025-49796 (CVSS score 9.1) - affecting Oracle Banking Branch Reports, Oracle Banking Cash Management, Oracle Banking Corporate Lending Process Management, Oracle Banking Liquidity Management, Oracle Banking Supply Chain Finance, Oracle HTTP Server Core, and Oracle Hyperion Infrastructure Technology, allowing remote exploitation without authentication
- CVE-2025-23048 (CVSS score 9.1) - affecting Oracle HTTP Server SSL Module, allowing remote exploitation without authentication
- CVE-2025-49844 (CVSS score 9.9) - affecting Oracle Communications Operations Monitor Infrastructure, allowing remote exploitation without authentication
High Severity vulnerabilities (CVSS score 8.0 and above)
- CVE-2025-48734 (CVSS score 8.8) - affecting Oracle Field Service HTML Dispatch Center, Oracle Human Resources iRecruitment, Oracle Succession Planning Suitability Analyzer, Oracle Time and Labor Core, Oracle Banking Cash Management, Oracle Banking Liquidity Management, Oracle Communications Policy Management, Oracle Agile PLM Security, Oracle Retail Advanced Inventory Planning, Oracle Retail Allocation, Oracle Retail Fiscal Management, PeopleSoft Enterprise PeopleTools, and multiple other products
- CVE-2025-66516 (CVSS score 8.3) - affecting Primavera Unifier Integration
- CVE-2026-21967 (CVSS score 8.6) - affecting Oracle Hospitality OPERA 5 Property Services Opera Servlet
- CVE-2024-56406 (CVSS score 8.6) - affecting Oracle Fusion Middleware Third Party components
- CVE-2025-32990 (CVSS score 8.2) - affecting Oracle Communications Network Analytics Data Director Platform and Oracle Communications Policy Management Configuration Management Platform
- CVE-2025-5987 (CVSS score 8.1) - affecting Oracle Enterprise Communications Broker Routing
- CVE-2026-21973 (CVSS score 8.1) - affecting Oracle FLEXCUBE Investor Servicing Security Management System
- CVE-2025-59250 (CVSS score 8.1) - affecting Oracle GoldenGate Big Data and Application Adapters Java Delivery
- CVE-2025-27363 (CVSS score 8.1) - affecting Oracle Hyperion Financial Reporting Install and JD Edwards EnterpriseOne Tools E1 Dev Platform Tech
- CVE-2025-9900 (CVSS score 8.8) - affecting Oracle Communications Policy Management Configuration Management Platform
Apart from these flaws, the advisory contains over 280 other vulnerabilities patched with lower severity.
Oracle strongly recommends that customers apply these Critical Patch Update security patches as soon as possible, especially for vulnerabilities that can be exploited remotely without authentication. The company continues to receive reports of successful attacks exploiting previously patched vulnerabilities where customers failed to apply available updates.
The next Critical Patch Updates are scheduled for April 21, 2026, July 21, 2026, October 20, 2026, and January 19, 2027, following Oracle's quarterly release schedule.
