SAP released Note 3697355 on 10 March 2026 to close a SQL injection weakness in the SAP NetWeaver Feedback Notification service (component CA-NO). If you run SAP_ABA on the affected releases, this is a patch worth confirming, because the flaw let an already-authenticated user tamper with the SQL that the service builds behind the scenes.
This one has a bit of history behind it: it was identified by the RedRays research team using the RedRays ABAP Code Scanner, our static-analysis tool for custom and standard ABAP code, and SAP subsequently fixed it in this Note.
At a glance
What was the issue
The Feedback Notification service (the R/3 Support Line Feedback function inside SAP NetWeaver) assembled part of a database query using values that come from user-controlled input fields. Because those inputs were placed into the SQL statement without being properly validated or escaped first, an authenticated user could craft input that changes how the query is interpreted rather than being treated as plain data - a classic SQL injection pattern.
According to SAP's description, a successful manipulation could alter the logic of the query's WHERE clause and, from there, reach or change database records that the request was never meant to touch. SAP rates the overall risk as Medium (CVSS base score 6.4). The scoring reflects that the attacker needs valid credentials (privileges required is Low, not None), no user interaction is involved, and the impact stays limited: low on confidentiality, none on integrity, and low on availability, with a changed scope because the affected component can influence resources beyond its own security boundary.
Affected releases
The correction ships for the SAP_ABA software component across the following release ranges:
- SAP_ABA 700 - 702
- SAP_ABA 731
- SAP_ABA 740
- SAP_ABA 750 - 752
- SAP_ABA 75A - 816
The vulnerable code vs. the fix
This exact statement pair comes from FORM FILL_SELECT in function group DNO_OW_TASK (used by function module DNO_OW_TASK_GET_NOTIF), the routine that turns a caller-supplied field name and value into a WHERE-clause fragment.
Vulnerableconcatenate '''' p_para '''' into l_line.
concatenate l_and p_field 'EQ' l_line into l_line
Fixed
lv_val = cl_abap_dyn_prg=>quote( lv_temp_para ).
concatenate l_and l_field_validated 'EQ' lv_val into l_line
How to fix it
The remediation is straightforward and is the standard SAP path for this kind of note:
- Apply SAP Note 3697355 to your affected systems.
- Install the Support Package level listed in the note for your SAP_ABA release, or implement the correction instructions provided with the note if you cannot move to the Support Package immediately.
- There is no workaround, so patching is the only effective mitigation - schedule it rather than defer it.
At a high level, the fix makes the service validate and escape user-supplied values before they are ever combined into SQL text, so the input is handled as data instead of as executable query logic. After applying the note, confirm the target Support Package is reflected in your system so the corrected code is actually active.
Caught by the RedRays ABAP Code Scanner
A WHERE-clause fragment assembled from unvalidated input, like the one behind CVE-2026-27684, is exactly the kind of SQL injection the RedRays ABAP Code Scanner catches automatically in custom ABAP code, before it ever needs its own SAP Security Note.
Explore ABAP Code ScannerSource: SAP Security Note 3697355 (released 10 March 2026), CVE-2026-27684. This vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner, and SAP addressed it in this Note. This article includes only the short, minimal code excerpt above illustrating the specific fix - not the full correction instruction. Always verify applicability against your own system in SAP for Me.

