Oracle’s April CPU Drops 481 Patches — What Australian Wealth Managers Should Do Now

Oracle published its quarterly Critical Patch Update for April 2026 on 15 April, delivering 481 security fixes across 28 product families and addressing 241 unique CVEs, with the worst rated at CVSS 9.8. As Tenable breaks it down, 75 of those patches sit in Oracle Financial Services Applications alone, and 59 of them are remotely exploitable without authentication. That’s a meaningful chunk of code anyone on the network can hit.

Why this matters for Australian wealth managers: Oracle quietly underpins a lot of the financial services stack — core fund accounting platforms, Oracle Database for advice and CRM tools, GoldenGate for replication, Java SE in trading and reconciliation apps, and Oracle Cloud or Fusion Middleware behind many client portals. If you’re an APRA-regulated entity, CPS 234 obliges you to maintain an information-security capability commensurate with the threat — which now includes 59 pre-auth bugs sitting in your provider’s stack. For non-regulated advisers the Privacy Act still applies: a remote-code-execution flaw exposing client tax file numbers, beneficiary records or SoA drafts is a notifiable data breach waiting to happen.

What to do this week: ask whoever runs your platforms — in-house, vendor or hosted MSP — for written confirmation that the April 2026 CPU has been applied. If you use SaaS, ask the vendor for their patch attestation. Anything you self-host running Oracle Java SE, Database, Fusion Middleware or Financial Services Applications should be scanned and patched now, prioritising the CVSS 9.8s first. And don’t skip your test and DR environments — attackers don’t.

If you’d like a quick audit of where Oracle sits in your stack, our team works with Australian financial services firms on exactly this kind of compliance-driven patch hygiene.