SAP has released its May 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.6, one High priority issue, eleven Medium priority fixes, and one Low priority update. The patches affect SAP Commerce Cloud, SAP S/4HANA, SAP NetWeaver Application Server ABAP, SAP HANA, SAP Forecasting & Replenishment, SAP BusinessObjects BI Platform, and other application components.
15
2
1
11
1
Executive Summary
- Critical Missing Authentication Check: CVE-2026-34263 (CVSS 9.6) in SAP Commerce Cloud configuration allows unauthenticated attackers to bypass authentication and achieve full compromise of confidentiality, integrity, and availability with cross-scope impact.
- Critical SQL Injection: CVE-2026-34260 (CVSS 9.6) in SAP S/4HANA (SAP Enterprise Search for ABAP) enables authenticated attackers to inject malicious SQL statements, leading to cross-scope compromise with high impact on confidentiality and availability.
- High Severity OS Command Injection: CVE-2026-34259 (CVSS 8.2) in SAP Forecasting & Replenishment allows high-privileged attackers to execute arbitrary OS commands with cross-scope impact on confidentiality, integrity, and availability.
- OS Command Injection in NetWeaver: CVE-2026-40135 (CVSS 6.5) in SAP NetWeaver Application Server for ABAP and ABAP Platform enables high-privileged authenticated attackers to compromise integrity and availability of the application server.
Critical HotNews Vulnerabilities
Missing Authentication Check in SAP Commerce Cloud Configuration
Critical missing authentication check in SAP Commerce Cloud configuration allows unauthenticated remote attackers to bypass authentication controls. Successful exploitation results in cross-scope impact with complete compromise of confidentiality, integrity, and availability of the Commerce Cloud environment.
SQL Injection Vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)
Critical SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) allows authenticated attackers to inject malicious SQL statements. Successful exploitation leads to cross-scope impact with full compromise of confidentiality and availability of business-critical data.
High Priority Security Issues
OS Command Injection Vulnerability in SAP Forecasting & Replenishment
OS command injection vulnerability in SAP Forecasting & Replenishment allows high-privileged local attackers to execute arbitrary operating system commands. Successful exploitation results in cross-scope impact with complete compromise of confidentiality, integrity, and availability of the host system.
Medium Priority Vulnerabilities
OS Command Injection in SAP NetWeaver Application Server for ABAP and ABAP Platform
OS command injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform allows high-privileged authenticated attackers to execute arbitrary OS commands with high impact on integrity and availability of the application server.
Missing Authorization Check in SAP S/4HANA Condition Maintenance
Missing authorization check in SAP S/4HANA Condition Maintenance allows authenticated attackers to bypass authorization controls with low impact on confidentiality, integrity, and availability of condition master data.
Cross-Site Scripting (XSS) in Business Server Pages Application (TAF_APPLAUNCHER)
Cross-Site Scripting vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) allows unauthenticated attackers to inject malicious scripts that execute in victim browsers, leading to cross-scope impact on confidentiality and integrity when users interact with crafted content.
Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)
Missing authorization check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) allows authenticated attackers to bypass authorization controls with low impact on confidentiality and integrity of strategic enterprise data.
Cross Site Request Forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform
Cross Site Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform allows unauthenticated attackers to trick authenticated users into performing unintended actions, leading to low impact on integrity and availability of BI reports and platform resources.
Improper Certificate Validation in SAP Commerce Cloud (Apache Log4j)
Potential improper certificate validation in SAP Commerce Cloud stemming from Apache Log4j allows unauthenticated attackers under complex conditions to bypass certificate trust checks with low impact on confidentiality and integrity.
Reflected Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP (BSP Applications)
Reflected Cross-Site Scripting vulnerability in applications based on Business Server Pages within SAP NetWeaver Application Server ABAP allows unauthenticated attackers under complex conditions to inject scripts that execute in victim browsers, with cross-scope impact on confidentiality and integrity.
Content Spoofing Vulnerability in SAPUI5 (Search UI)
Content spoofing vulnerability in SAPUI5 (Search UI) allows unauthenticated attackers to manipulate displayed content and mislead end users, with cross-scope impact on confidentiality when victims interact with crafted UI content.
Code Injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
Code injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to inject limited code constructs into the runtime with low impact on integrity of the application server.
Denial of Service (DoS) in SAP Financial Consolidation
Denial of service vulnerability in SAP Financial Consolidation allows authenticated attackers to disrupt service availability with low impact on availability of consolidation and financial reporting processes.
Missing Authorization Check in SAP Incentive and Commission Management
Missing authorization check in SAP Incentive and Commission Management allows authenticated attackers to bypass authorization controls with low impact on integrity of incentive and commission data.
Low Priority Security Updates
SQL Injection Vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy Library
SQL injection vulnerability in the SAP HANA Deployment Infrastructure (HDI) deploy library allows local high-privileged attackers to inject limited SQL statements with low impact on confidentiality and availability of HDI deployments.
