Oracle has released its January 2026 Critical Patch Update (CPU), which provides 337 security updates addressing approximately 230 distinct vulnerabilities across more than 30 products, including several that can be exploited remotely without authentication.

Affected systems

Affected products include, but are not limited to:

• Oracle Database   

• Oracle Enterprise Manager

• Oracle MySQL  

• Oracle E-Business Suite   

• Oracle Java SE     

• Oracle Fusion Middleware

Security Risks

The identified vulnerabilities could enable attackers to execute code without authentication, obtain unauthorized access, expose or manipulate sensitive data, or disrupt critical systems and services, leading to significant operational, financial and reputational impact.

For the full list of security updates released by Oracle, please refer to Critical Patch Updates.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends the following actions:

1. Upgrade as soon as possible to the latest supported version of installed software in order to continue receiving technical support and security patches.

2. Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailto rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Oracle Critical Patch Update Advisory - January 2026

• Oracle Critical Patch Updates, Security Alerts and Bulletins

• Oracle’s First 2026 CPU Delivers 337 New Security Patches