From 4cc5822f8b037739575721550b84e4ad303807ce Mon Sep 17 00:00:00 2001
From: "rukayaj@gmail.com" <rukayaj@gmail.com>
Date: Thu, 4 Jun 2026 17:31:28 +0200
Subject: [PATCH] Avoid vulnerable Oracle JDBC versions

---
 pom.xml       | 2 +-
 renovate.json | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 4ffa187c89..b9cc9ea0b3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -96,7 +96,7 @@
     <jtds.version>1.3.1</jtds.version>
     <mssql-jdbc.version>13.4.0.jre11</mssql-jdbc.version>
     <mysql-connector-java.version>9.7.0</mysql-connector-java.version>
-    <ojdbc.version>23.26.2.0.0</ojdbc.version>
+    <ojdbc.version>23.2.0.0</ojdbc.version>
     <postgresql.version>42.7.11</postgresql.version>
     <duckdb.version>1.5.2.1</duckdb.version>
 
diff --git a/renovate.json b/renovate.json
index 4df5c674c2..dfbb6144db 100644
--- a/renovate.json
+++ b/renovate.json
@@ -21,6 +21,11 @@
       "versioning": "regex:^(?<major>\\d+)(\\.(?<minor>\\d+))?(\\.(?<patch>\\d+))?(\\.(?<compatibility>.*))?$",
       "description": "Take into account mssql-jdbc compatibility suffix (jre11 currently)"
     },
+    {
+      "matchPackageNames": ["com.oracle.database.jdbc:ojdbc8"],
+      "allowedVersions": "/^(?!23\\.(?:[4-9]|1\\d|2[0-6])\\.).*/",
+      "description": "Avoid Oracle JDBC 23.4.x through 23.26.x due to Oracle CSPU May 2026 TLS vulnerabilities"
+    },
     {
       "matchPackageNames": ["com.google.guava:guava"],
       "automerge": false