- 158/2026
- Critical
Oracle released its critical patch updates for May 2026, containing 77 new security patches across multiple affected Oracle products and third-party components.
The addressed vulnerabilities could allow the attacker to conduct denial-of-service attacks, obtain sensitive information, bypass security restrictions, manipulate data, gain elevated privileges, execute arbitrary code, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Oracle REST Data Services Takeover Vulnerability (CVE-2026-46840):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Oracle Internet Procurement Connector Unauthorized Access Vulnerability (CVE-2026-46819):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
It should be highlighted that Oracle is aware that several vulnerabilities are remotely exploitable without authentication.
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.