Oracle strongly recommends that all customers running supported Oracle Database releases, including Oracle Database 19c and Oracle AI Database 26ai, prepare now to test and deploy the upcoming Release Update across their entire database estate as soon as it becomes available on July 21, 2026.
AI is changing the cybersecurity threat landscape
New frontier AI models are dramatically lowering the barriers to discovering and exploiting software vulnerabilities. These models can help identify weaknesses, analyze software changes, reverse-engineer security patches, and develop potential attack paths with unprecedented speed and scale.
AI models are also becoming increasingly capable of combining multiple weaknesses across the application and data stack to create complex attacks, even when no individual weakness would be considered critical on its own. As a result, protecting systems only at the network or application layer is no longer sufficient. Organizations must secure the entire technology stack, including the database and the data it contains.
Oracle is working with Anthropic and OpenAI’s most advanced models to proactively identify and remediate potential security vulnerabilities. We are providing fixes for validated security issues through our established software update processes.
In our April 2026 blog, Take Action Today: Protect Your Oracle Database Against AI-Enabled Cybersecurity Threats, we recommended that customers move to a Long Term Support release, Oracle Database 19c or Oracle AI Database 26ai, and remain current on quarterly Release Updates.
Since that announcement, Oracle has delivered a Critical Security Patch Update addressing critical vulnerabilities. We are now preparing to release a major quarterly Release Update containing fixes for a much larger set of critical- and high-severity security issues identified through this expanded testing.
Action required: Install the upcoming Release Update promptly
All customers running supported Oracle Database releases should prepare to apply the upcoming Release Update (RU), including:
- Oracle Database 19c RU [19.32]
- Oracle AI Database 26ai RU [23.26.3]
- Corresponding updates for Oracle Grid Infrastructure, database clients, and other applicable components
Customers should begin planning, testing, and scheduling deployment now so that the update can be installed across all applicable databases promptly after its planned July 21, 2026 release.
The upcoming RU makes important security fixes available, but those protections take effect only after customers deploy the update. Delaying deployment extends the period during which systems may remain exposed to vulnerabilities that could be discovered and exploited by adversaries using increasingly capable AI tools.
The risk is not limited to internet-facing databases. Attackers can gain access through compromised applications, credentials, users, endpoints, or other systems connected to a database. Organizations should therefore apply the update throughout their estate, including production, disaster recovery, test, development, and supporting infrastructure environments, as applicable.
Applying the database software RUs does not automatically correct every security-related configuration, identity, application, or network risk. Customers must continue to assess and strengthen the broader security posture of their database environments.
Reduce the time between release and deployment
Traditional patching programs often rely on lengthy testing cycles and limited maintenance windows. That approach becomes increasingly risky as AI reduces the time required to analyze software, identify weaknesses, and develop possible exploits.
Organizations should establish a repeatable process that enables them to do the following:
- Identify every database, Grid Infrastructure installation, client, and related component requiring an update
- Prioritize systems based on exposure and business criticality
- Test updates rapidly using representative production workloads
- Use rolling and low-downtime patching wherever supported
- Continuously monitor for databases that remain behind the recommended update level
This may require customers to change existing patching plans. The goal should be to move from infrequent, reactive maintenance toward continuous and disciplined lifecycle management.
Oracle is helping remove barriers to rapid patching
To help customers accelerate patch deployment, Oracle has made several database patching, testing, lifecycle-management, and security capabilities available at no cost for a limited time or at 90% discount, subject to applicable terms.
These offerings include capabilities designed to help customers inventory environments, automate patch deployment, test application impact, reduce downtime, and monitor security posture across cloud, multicloud, hybrid, and on-premises database estates.
Customers should obtain these tools now, become familiar with them, and integrate them into their operational processes before the upcoming Release Update becomes available.
Available offerings include:
- Oracle Database Lifecycle Management Pack to centrally manage and patch database and Grid Infrastructure
- Oracle Exadata Management Pack to manage and patch Exadata infrastructure
- Oracle Real Application Testing to evaluate the effects of updates against representative real production workloads
- Oracle GoldenGate and Oracle GoldenGate Veridata to help support low-downtime or no-downtime migration, patching, validation, and switchover strategies
- Oracle Data Safe and Oracle Database Security Central to assess and monitor database security risks for both cloud and on-premises databases
Customers that need additional assistance can refer to Oracle Customer Success Services AI Patching and Upgrade Center for Databases and Applications. Customers should contact their Oracle Technical Account Manager, Oracle Support representative, or Oracle account team to discuss the assistance available for their particular environment.
Maintain availability while applying updates
Security and availability should not be treated as competing objectives. Oracle provides technologies and best practices that can help customers apply updates while minimizing disruption to critical business services.
Customers should use applicable capabilities such as:
- Oracle Real Application Clusters
- Oracle Active Data Guard
- Oracle GoldenGate
- Fleet Patching and Provisioning
- Rolling patching and switchover procedures
- Transparent Application Continuity
- Oracle Maximum Availability Architecture best practices
The appropriate approach depends on each system’s architecture and the specific update being applied. Customers should validate their patching and recovery procedures before deployment and maintain tested backups and standby systems.
Patching cloud databases
Oracle Autonomous Database customers already benefit from Oracle-managed autonomous patching. Co-managed database services, including applicable Exadata Database Service and Base Database Service offerings, provide extensive patch automation to help customers apply current updates across their fleets.
Oracle Data Safe is free with eligible Oracle Database cloud services, subject to service-specific terms, and we recommend that all cloud customers take advantage of it to improve their security posture.
Patching is essential, but it is not sufficient
Updating database binaries is one of the most important actions customers can take, but database risk also comes from configuration choices, excessive privileges, compromised credentials, unprotected sensitive data, application behavior, and unexpected access paths.
Organizations should continuously assess:
- Security configurations and missing controls
- Privileged and high-risk users
- Unused or excessive privileges
- Dormant accounts and accounts with weak passwords
- Sensitive-data exposure
- Suspicious database activity and SQL-injection risk
- Audit-policy coverage and compliance
- Backup integrity and recovery readiness
Oracle Data Safe, Oracle Database Security Central (General Availability coming soon), and Oracle Database Security Assessment Tool can help customers identify and address these risks across different deployment models and operational requirements.
Customers should also consider database-enforced security controls, including SQL Firewall, Oracle Database Vault, Transparent Data Encryption, auditing, and fine-grained authorization, to protect data across authorized access paths, including applications, users, administrators, and AI agents. Database-enforced controls are generally more effective, have lower overhead, and are more difficult to bypass than application controls.
Strict network segmentation and access restrictions remain important components of a defense-in-depth architecture. Databases should not be exposed directly to the public internet, and access should be limited to authorized applications, administrators, and services.
Prepare for a continuing cycle of security updates
The upcoming Release Update is an important milestone, but it should not be viewed as a one-time event.
Frontier AI models will continue to improve, and our skills at using the models will also continue to improve. Oracle expects these technologies to identify additional potential vulnerabilities across the whole technology stack that enterprises depend on. Adversaries will use similar capabilities to accelerate vulnerability discovery and exploitation.
Oracle will continue working to identify, validate, and remediate security issues as quickly as possible. Customers should be prepared for an environment in which important security fixes may need to be evaluated and deployed more frequently and with less notice than in the past.
What customers should do now
Before the upcoming Release Update (RU) becomes available:
- Confirm that all databases are running a supported Long-Term Support release, specifically Oracle Database 19c or Oracle AI Database 26ai.
- Inventory all database servers, Grid Infrastructure installations, clients, drivers, management tools, and related components.
- Update systems to a recent Release Update so they are prepared for the upcoming July update.
- Obtain and deploy Oracle’s available patching, testing, lifecycle-management, and security tools.
- Establish an accelerated testing and deployment process.
- Review Oracle Real Application Clusters (Oracle RAC), Oracle Active Data Guard, Oracle GoldenGate, Transparent Application Continuity, and Oracle Maximum Availability Architecture (Oracle MAA) options for maintaining availability during patching.
- Confirm that backups, standby databases, recovery procedures, and rollback plans are tested.
- Assess database configurations, users, privileges, sensitive data, activity, and network exposure.
- Schedule resources and maintenance activities so that testing and deployment can begin immediately after the RU is released.
- Engage Oracle Support or Oracle Customer Success Services now if assistance is required.
Act promptly when the update becomes available
AI is increasing both the speed at which vulnerabilities can be discovered and the speed at which they may be exploited. Oracle is using those same advances proactively to help identify weaknesses, deliver fixes, and provide customers with tools and services that make updates easier to deploy.
Customers should use the time before the upcoming Release Update to prepare. Once the update becomes available, Oracle strongly recommends that organizations test and apply it promptly across all applicable systems. You should also ensure that various tools and technologies around the database are patched as well, including the operating system, Java, Exadata, Oracle Enterprise Manager, Oracle GoldenGate, Oracle REST Data Services (ORDS), Oracle Key Vault, Oracle Audit Vault and Database Firewall, and Oracle Connection Manager (CMAN).
Staying on a supported Long Term Support release, applying current RUs, continuously monitoring database security posture, and maintaining resilient architectures are now essential elements of operating a secure enterprise database estate.
AI changes everything
In this blog we focused on software updates, but there is much more for organizations to know and consider. Cyberattacks are just one aspect of the massive changes that AI is bringing to the world of data. Equally challenging will be deploying AI Agents, MCP servers, vibe-coded applications, AI management and automation, natural language-to-SQL, AI-powered reporting, and other emerging technologies while minimizing their security, hallucination, and data integrity risks.
Addressing these risks will require changes to the strategies, tools, and architectures used to develop and deploy applications, workflows, and AI-enabled systems. For example, Oracle recently released Deep Data Security to help address security risks introduced by vibe-coded applications and AI Agents.
We highly recommend that customers send leaders of their operations, security, and application development teams to the Oracle AI World Conference, October 25-28, 2026 in Las Vegas. We will provide extensive briefings, training, and hands-on experiences on the new approaches, tools, and architectures that organizations should begin adopting now to thrive and survive in this AI era. It is important to sign up soon because we expect this event to sell out.
Additional resources
- AI Has Changed the Threat Landscape. Security Must Start with Data.
- Oracle Customer Success Services: Patching and Upgrade Center for Databases and Applications
- Strengthen Security for On-Premises Oracle Databases with Oracle Data Safe
- Introducing Oracle Database Security Central: Taking Control of Database Security Across Your Fleet
- Oracle Support knowledge article PNEWS3015
