Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day January 2026

SAP has released its January 2026 security patch package containing 17 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 9.9, four High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP HANA database, SAP NetWeaver, SAP Wily Introscope, and various application components.

🔍 DISCOVERED BY REDRAYS

RedRays ABAP Code Scanner Uncovers Critical Authorization Bypass

Our RedRays ABAP Code Scanner successfully identified a critical missing authorization vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. This high-severity flaw allows authenticated users with low privileges to bypass authorization controls and perform unauthorized actions with significant impact on system integrity and availability.

SAP Security Note #3688703 addresses this vulnerability discovered through automated static code analysis. The advisory is scheduled for public release on March 13, 2026.

Vulnerability ID: CVE-2026-0506 CVSS 8.1 HIGH
Total Security Notes
17
HotNews Critical
4
High Priority
4
Medium Priority
7
Low Priority
2

Executive Summary

  • Critical SQL Injection: CVE-2026-0501 (CVSS 9.9) in SAP S/4HANA Financials General Ledger allows authenticated attackers to execute arbitrary SQL queries with cross-scope impact on confidentiality, integrity, and availability.
  • Remote Code Execution: CVE-2026-0500 (CVSS 9.6) in SAP Wily Introscope Enterprise Manager enables unauthenticated remote code execution with complete system compromise.
  • Code Injection Vulnerabilities: CVE-2026-0491 (CVSS 9.1) in SAP Landscape Transformation and CVE-2026-0498 (CVSS 9.1) in SAP S/4HANA allow high-privileged attackers to inject and execute malicious code with cross-scope impact.
  • Privilege Escalation: CVE-2026-0492 (CVSS 8.8) in SAP HANA database enables authenticated users to escalate privileges and compromise database integrity.

Critical HotNews Vulnerabilities

SQL Injection in SAP S/4HANA Financials – General Ledger

9.9 CVE-2026-0501 FI-GL-GL-G SQL Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Critical SQL injection vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) allows authenticated attackers with low privileges to execute arbitrary SQL queries. This maximum severity flaw enables complete system compromise with cross-scope impact on confidentiality, integrity, and availability of financial data.

SAP Note 3687749 — emergency patch required immediately.

Remote Code Execution in SAP Wily Introscope Enterprise Manager

9.6 CVE-2026-0500 SV-SMG-DIA-WLY RCE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Critical remote code execution vulnerability in SAP Wily Introscope Enterprise Manager (WorkStation) allows unauthenticated remote attackers to execute arbitrary code with user interaction. Successful exploitation leads to complete system takeover with cross-scope impact on confidentiality, integrity, and availability.

SAP Note 3668679 — patch within 24 hours.

Code Injection in SAP Landscape Transformation

9.1 CVE-2026-0491 CA-LT-ANA Code Injection
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Critical code injection vulnerability in SAP Landscape Transformation allows high-privileged attackers to inject and execute malicious code remotely. The vulnerability has cross-scope impact enabling complete compromise of confidentiality, integrity, and availability across connected systems.

SAP Note 3697979 — immediate patching required.

Code Injection in SAP S/4HANA (Private Cloud and On-Premise)

9.1 CVE-2026-0498 CA-DT-ANA Code Injection
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Critical code injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise) allows high-privileged attackers to inject and execute malicious code with cross-scope impact. Successful exploitation enables complete system takeover affecting confidentiality, integrity, and availability.

SAP Note 3694242 — emergency patch required.

High Priority Security Issues

Privilege Escalation in SAP HANA Database

8.8 CVE-2026-0492 HAN-DB-SEC Privilege Escalation
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Privilege escalation vulnerability in SAP HANA database allows authenticated users with low privileges to escalate their access rights. Successful exploitation leads to complete compromise of confidentiality, integrity, and availability of the database.

SAP Note 3691059 — high priority patch within 48 hours.

OS Command Injection in SAP ABAP and NetWeaver RFCSDK

8.4 CVE-2026-0507 BC-MID-RFC-SDK Command Injection
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

OS command injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK allows high-privileged attackers on adjacent networks to execute arbitrary operating system commands with cross-scope impact.

SAP Note 3675151 — schedule urgent patch.

Missing Authorization in SAP NetWeaver ABAP Platform

8.1 CVE-2026-0506 BC-DWB-DIC-F4 Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Missing authorization check vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated users to perform unauthorized actions with high impact on integrity and availability.

SAP Note 3688703 — apply high priority patch.

Multiple Vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)

8.1 CVE-2026-0511 FI-LOC-FI-RU Multiple
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Multiple security vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation) allow authenticated attackers with low privileges to compromise confidentiality and integrity of financial reconciliation data.

SAP Note 3565506 — high priority update.

Medium Priority Vulnerabilities

Missing Authorization in SAP EHS Management

6.4 CVE-2026-0503 EHS-SAF Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Missing authorization check in SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) allows authenticated attackers to access and modify EHS data with cross-scope impact.

SAP Note 3681523 — schedule patch.

Cross-Site Scripting in SAP Business Connector

6.1 CVE-2026-0514 BC-MID-BUS XSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Cross-Site Scripting vulnerability in SAP Business Connector allows unauthenticated attackers to inject malicious scripts that execute in victims' browsers with cross-scope impact.

SAP Note 3666061 — apply update.

Cross-Site Scripting in SAP NetWeaver Enterprise Portal

6.1 CVE-2026-0499 EP-PIN-NAV XSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Cross-Site Scripting vulnerability in SAP NetWeaver Enterprise Portal allows unauthenticated attackers to inject and execute malicious scripts with cross-scope impact on confidentiality and integrity.

SAP Note 3687372 — maintenance window.

Open Redirect in SAP Supplier Relationship Management

4.7 CVE-2026-0513 SRM-EBP-CAT Open Redirect
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Open redirect vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog) allows attackers to redirect users to malicious sites for phishing attacks.

SAP Note 3638716 — schedule update.

Missing Authorization in Product Designer Web UI

4.3 CVE-2026-0497 PLM-PPM-PDN Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Missing authorization check in Business Server Pages Application (Product Designer Web UI) allows authenticated users to access restricted product design information.

SAP Note 3677111 — apply fix.

CSRF in SAP Fiori App (Intercompany Balance Reconciliation)

4.3 CVE-2026-0493 FI-LOC-FI-RU CSRF
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Cross-Site Request Forgery vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) allows attackers to perform unauthorized actions on behalf of authenticated users.

SAP Note 3655229 — routine update.

Information Disclosure in SAP Fiori App (Intercompany Balance Reconciliation)

4.3 CVE-2026-0494 FI-LOC-FI-RU Info Disclosure
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Information disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) allows authenticated users to access sensitive financial reconciliation data beyond their authorization.

SAP Note 3655227 — apply patch.

Low Priority Security Updates

Insufficient Input Handling in SAP Identity Management JNDI Operations

3.8 CVE-2026-0504 BC-IAM-IDM Input Handling
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Insufficient input handling vulnerability in JNDI Operations of SAP Identity Management allows high-privileged attackers to manipulate JNDI lookups with limited impact on confidentiality and integrity.

SAP Note 3657998 — low priority update.

Obsolete Encryption Algorithm in NW AS Java UME User Mapping

3.0 CVE-2026-0510 BC-JAS-SEC-UME Weak Crypto
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Obsolete encryption algorithm vulnerability in SAP NetWeaver AS Java UME User Mapping uses weak cryptographic algorithms that may allow information disclosure under complex attack conditions.

SAP Note 3593356 — regular maintenance cycle.

Security Advisory prepared by RedRays Cybersecurity Team

Based on SAP Security Notes published 13 January 2026.

© 2026 RedRays. Test patches in development environments before production deployment.

Explore More

SAP Security Advisory – CVE-2025-42890

November 12, 2025

Critical Hard-Coded Credentials Vulnerability in SQL Anywhere Monitor (Non-GUI) CVSS Score10.0 SeverityCRITICAL PriorityHotNews PublishedNov 11, 2025 🚨 Critical Alert IMMEDIATE ACTION REQUIRED:

SAP Security Patch Day RedRays

SAP security patches November 2025

November 12, 2025

SAP has released its November 2025 security patch package containing 20 security notes addressing critical vulnerabilities across enterprise SAP environments. This release