Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day June 2026

SAP has released its June 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release is unusually critical, with four HotNews vulnerabilities rated up to CVSS 9.9, two High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP NetWeaver Application Server ABAP and Java, SAP S/4HANA, SAP Commerce Cloud, SAP Fiori, SAP BusinessObjects BI Platform, SAP Master Data Governance, and other application components.

Total Security Notes
15
HotNews Critical
4
High Priority
2
Medium Priority
7
Low Priority
2

Executive Summary

  • Critical SAML Signature Wrapping: CVE-2026-44748 (CVSS 9.9) in SAP NetWeaver AS ABAP and ABAP Platform lets a low-privileged attacker forge signed SAML assertions and bypass authentication assurance, resulting in cross-scope compromise of confidentiality, integrity, and availability.
  • Critical Memory Corruption: CVE-2026-27671 (CVSS 9.8) in the Application Server ABAP of SAP NetWeaver and ABAP Platform allows unauthenticated remote attackers to corrupt memory via crafted requests, potentially achieving arbitrary code execution with full system compromise.
  • Critical Spring Security Flaw: CVE-2026-22732 (CVSS 9.1) in SAP Commerce Cloud and SAP Data Hub stems from the bundled Spring Security framework and enables unauthenticated attackers to bypass security controls with high impact on confidentiality and integrity.
  • Critical Directory Traversal: CVE-2026-40128 (CVSS 9.0) in the Web Container of SAP NetWeaver AS Java allows unauthenticated attackers to traverse outside the intended directory, leading to cross-scope compromise of confidentiality, integrity, and availability.

Critical HotNews Vulnerabilities

XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform

9.9 CVE-2026-44748 BC-SEC-LGN-SML Authentication Bypass
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

An XML Signature Wrapping vulnerability in the SAML authentication of SAP NetWeaver AS ABAP and ABAP Platform allows a low-privileged authenticated attacker to manipulate or forge signed SAML assertions, defeating authentication assurance. With a changed scope, successful exploitation results in complete compromise of confidentiality, integrity, and availability across trust boundaries.

SAP Note 3746332 — emergency patch required immediately.

Memory Corruption Vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

9.8 CVE-2026-27671 BC-MID-RFC Memory Corruption
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A memory corruption vulnerability in the Application Server ABAP of SAP NetWeaver and ABAP Platform allows unauthenticated remote attackers to corrupt memory through crafted RFC requests. Successful exploitation may lead to arbitrary code execution with complete compromise of confidentiality, integrity, and availability of the application server.

SAP Note 3717897 — patch within 24 hours.

Potential Spring Security Vulnerability within SAP Commerce Cloud and SAP Data Hub

9.1 CVE-2026-22732 CEC-SCC-PLA-PL Security Control Bypass
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the bundled Spring Security framework within SAP Commerce Cloud and SAP Data Hub allows unauthenticated remote attackers to bypass security controls. Successful exploitation results in high impact on confidentiality and integrity of the platform and the data it processes.

SAP Note 3748262 — patch within 24 hours.

Directory Traversal Vulnerability in SAP NetWeaver Application Server Java (Web Container)

9.0 CVE-2026-40128 BC-JAS-WEB Directory Traversal
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A directory traversal vulnerability in the Web Container of SAP NetWeaver Application Server Java allows unauthenticated attackers to access and manipulate files outside the intended directory. With a changed scope, successful exploitation results in complete compromise of confidentiality, integrity, and availability.

SAP Note 3727078 — apply HotNews patch immediately.

High Priority Security Issues

Multiple Vulnerabilities in Apache Tomcat within SAP Commerce Cloud

7.4 CVE-2026-29145 CEC-SCC-PLA-PL Third-Party Component
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Multiple vulnerabilities in the bundled Apache Tomcat within SAP Commerce Cloud allow unauthenticated attackers, under complex conditions, to compromise the application server. Successful exploitation results in high impact on confidentiality and integrity of the Commerce Cloud environment.

SAP Note 3747484 — apply high priority patch.

Missing Authorization Check in Application Server ABAP of SAP NetWeaver and ABAP Platform

7.1 CVE-2026-44751 BC-DWB-DIC-AC Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

A missing authorization check in the Application Server ABAP of SAP NetWeaver and ABAP Platform allows a low-privileged authenticated attacker to perform unauthorized operations. Successful exploitation results in high impact on integrity and low impact on availability of the application server.

SAP Note 3735546 — apply high priority patch.

Medium Priority Vulnerabilities

Missing Caller Identification Check in ODP Data Replication APIs

6.6 CVE-2026-44754 BC-BW-ODP Missing Auth
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L

A missing caller identification check in the ODP Data Replication APIs allows a high-privileged attacker to access data across scope boundaries. Successful exploitation results in high impact on confidentiality and low impact on availability of replicated data.

SAP Note 3748819 — schedule patch.

SQL Injection Vulnerability in SAP S/4HANA

6.5 CVE-2026-44744 CA-EPT-SSC SQL Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

An SQL injection vulnerability in SAP S/4HANA allows authenticated attackers to inject malicious SQL statements into backend queries. Successful exploitation results in high impact on confidentiality of business-critical data.

SAP Note 3751691 — apply patch.

Reflected Cross-Site Scripting (XSS) in SAP NetWeaver AS Java (JDBC Test Servlet)

6.1 CVE-2026-44746 BW-BEX-UDI Reflected XSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

A reflected Cross-Site Scripting vulnerability in the JDBC Test Servlet of SAP NetWeaver AS Java allows unauthenticated attackers to inject malicious scripts that execute in victim browsers, with cross-scope impact on confidentiality and integrity when users interact with crafted content.

SAP Note 3723655 — schedule patch.

Cross-Site Scripting (XSS) Vulnerability in SAP Wily Introscope Enterprise Manager

4.7 CVE-2026-44757 SV-SMG-DIA-WLY XSS
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

A Cross-Site Scripting vulnerability in SAP Wily Introscope Enterprise Manager allows unauthenticated attackers, under complex conditions, to inject scripts that execute in monitoring users' browsers, leading to cross-scope impact on confidentiality and integrity.

SAP Note 3715280 — schedule update.

Email Spoofing Vulnerability in SAP BusinessObjects Business Intelligence Platform

4.3 CVE-2026-44755 BI-BIP-SEC Email Spoofing
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

An email spoofing vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attackers to send messages that appear to originate from trusted addresses, leading to low impact on integrity and supporting phishing or social-engineering attacks.

SAP Note 3687096 — apply update.

Missing Authorization Check in SAP MDG (Review Match Groups Application)

4.3 CVE-2026-44750 CA-MDG-CMP-BP Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

A missing authorization check in the Review Match Groups Application of SAP Master Data Governance allows authenticated attackers to bypass authorization controls, leading to low impact on integrity of master data match groups.

SAP Note 3673181 — apply update.

Path Traversal Vulnerability in SAP Fiori (launchpad)

4.2 CVE-2026-24315 CA-FLP-FE-COR Path Traversal
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

A path traversal vulnerability in the SAP Fiori launchpad allows unauthenticated attackers, under complex conditions and with user interaction, to access resources outside the intended path, leading to low impact on confidentiality and integrity.

SAP Note 3682699 — schedule update.

Low Priority Security Updates

Security Misconfiguration Vulnerability in SAP Business Objects

3.7 CVE-2026-44743 BI-BIP-CMC Misconfiguration
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

A security misconfiguration vulnerability in SAP Business Objects (Central Management Console) allows unauthenticated attackers, under complex conditions, to obtain limited sensitive information, leading to low impact on confidentiality.

SAP Note 3706000 — regular maintenance cycle.

Potential Vulnerability in Apache Log4j Library used by SAP NetWeaver AS Java

3.3 CVE-2025-68161 BC-JAS-SEC-UME Third-Party Component
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

A potential vulnerability in the Apache Log4j library used by SAP NetWeaver AS Java allows high-privileged attackers, under complex conditions, to affect the User Management Engine with low impact on confidentiality and integrity.

SAP Note 3726899 — regular maintenance cycle.

Security Advisory prepared by RedRays Cybersecurity Team

Based on SAP Security Notes published 9 June 2026.

© 2026 RedRays. Test patches in development environments before production deployment.

Explore More

RedRays ABAP Security Challenge 2026

May 21, 2026

WORLD’S FIRST · MAY 30 – 31, 2026 RedRays ABAP Security Challenge 2026 The world’s first security competition for ABAP developers. Write

SAP Security Patch Day – May 2026

May 12, 2026

SAP has released its May 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release includes