Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day February 2026

SAP has released its February 2026 security patch package containing 27 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.9, seven High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect SAP CRM, SAP S/4HANA, SAP NetWeaver, SAP BusinessObjects Business Intelligence Platform, SAP Commerce Cloud, and various application components. RedRays ABAP Code Scanner did not identify new vulnerabilities in this release cycle.

Total Security Notes
27
HotNews Critical
2
High Priority
7
Medium Priority
16
Low Priority
2

Executive Summary

  • Critical Code Injection: CVE-2026-0488 (CVSS 9.9) in SAP CRM and SAP S/4HANA Scripting Editor allows authenticated attackers to inject and execute malicious code with cross-scope impact on confidentiality, integrity, and availability.
  • Missing Authorization: CVE-2026-0509 (CVSS 9.6) in SAP NetWeaver Application Server ABAP and ABAP Platform enables authenticated users with low privileges to bypass authorization controls with cross-scope impact on integrity and availability.
  • XML Signature Wrapping: CVE-2026-23687 (CVSS 8.8) in SAP NetWeaver AS ABAP and ABAP Platform allows authenticated attackers to manipulate XML signatures leading to complete system compromise.
  • Multiple DoS Vulnerabilities: Seven vulnerabilities affecting SAP BusinessObjects BI Platform and SAP Supply Chain Management enable denial of service attacks with high impact on availability.

Critical HotNews Vulnerabilities

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)

9.9 CVE-2026-0488 CRM-IC-FRW Code Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Critical code injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) allows authenticated attackers with low privileges to inject and execute arbitrary code. This maximum severity flaw enables complete system compromise with cross-scope impact on confidentiality, integrity, and availability of business-critical data.

SAP Note 3697099 — emergency patch required immediately.

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

9.6 CVE-2026-0509 BC-MID-RFC Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Critical missing authorization check vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated users with low privileges to bypass authorization controls and perform unauthorized actions. Successful exploitation leads to cross-scope impact with high severity on system integrity and availability.

SAP Note 3674774 — patch within 24 hours.

High Priority Security Issues

XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

8.8 CVE-2026-23687 BC-SEC-WSS XML Signature Wrapping
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

High severity XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform allows authenticated attackers to manipulate XML signatures. Successful exploitation leads to complete compromise of confidentiality, integrity, and availability of affected systems.

SAP Note 3697567 — high priority patch within 48 hours.

Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

7.7 CVE-2026-24322 SV-SMG-SDD Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Missing authorization check in SAP Solution Tools Plug-In (ST-PI) allows authenticated attackers to access sensitive system information with cross-scope impact. High severity vulnerability affecting confidentiality of system data.

SAP Note 3705882 — schedule urgent patch.

Denial of service (DOS) in SAP Supply Chain Management

7.7 CVE-2026-23689 SCM-APO-CA-COP DoS
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Denial of service vulnerability in SAP Supply Chain Management allows authenticated attackers to disrupt service availability with cross-scope impact. High severity threat to business continuity and supply chain operations.

SAP Note 3703092 — apply high priority patch.

Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform

7.5 CVE-2026-0485 BI-BIP-SRV DoS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Unauthenticated denial of service vulnerability in SAP BusinessObjects BI Platform enables remote attackers to disrupt business intelligence services without authentication, causing high impact on system availability.

SAP Note 3678282 — high priority update.

Denial of service (DOS) in SAP BusinessObjects BI Platform

7.5 CVE-2026-0490 BI-BIP-SRV DoS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Additional unauthenticated denial of service vulnerability in SAP BusinessObjects BI Platform allows remote attackers to disrupt reporting and analytics services with high availability impact.

SAP Note 3654236 — high priority patch.

Race Condition in SAP Commerce Cloud

7.4 CVE-2025-12383 CEC-SCC-PLA-PL Race Condition
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Race condition vulnerability in SAP Commerce Cloud allows unauthenticated attackers to exploit timing windows and compromise confidentiality and integrity of e-commerce operations under complex attack conditions.

SAP Note 3692405 — apply high priority patch.

Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform

7.3 CVE-2026-0508 BI-BIP-SEC Open Redirect
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Open redirect vulnerability in SAP BusinessObjects Business Intelligence Platform allows high-privileged attackers to redirect users to malicious sites with cross-scope impact on confidentiality and integrity under complex attack conditions.

SAP Note 3674246 — schedule patch.

Medium Priority Vulnerabilities

Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform (AdminTools)

6.5 CVE-2026-24324 BI-BIP-SRV DoS
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Denial of service vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools) allows authenticated attackers to disrupt administrative functions with high impact on system availability.

SAP Note 3695912 — schedule patch.

Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA

6.5 CVE-2026-0484 BC-DWB-CEX-CF Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA allows authenticated attackers to modify system data with high impact on integrity.

SAP Note 3672622 — apply update.

Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)

6.1 CVE-2026-24328 SV-SMG-TWB-CBT Open Redirect
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Open redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) allows unauthenticated attackers to redirect users to malicious sites with cross-scope impact on confidentiality and integrity.

SAP Note 3688319 — maintenance window.

Multiple vulnerabilities in BSP Applications of SAP Document Management System

6.1 CVE-2026-0505 CA-DMS-OP Multiple
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Multiple security vulnerabilities in BSP Applications of SAP Document Management System allow unauthenticated attackers to compromise document security with cross-scope impact.

SAP Note 3678417 — schedule update.

Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

6.0 CVE-2025-0059 BC-FES-WGU Info Disclosure
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Information disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) allows high-privileged local attackers to access sensitive system information with cross-scope impact.

SAP Note 3503138 — apply fix.

Race condition vulnerability in SAP Commerce Cloud

5.9 CVE-2026-23684 CEC-SCC-COM-BC-OCC Race Condition
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Race condition vulnerability in SAP Commerce Cloud allows unauthenticated attackers to exploit timing windows and compromise integrity of e-commerce transactions under complex attack conditions.

SAP Note 3689543 — routine update.

Information Disclosure Vulnerability in SAP Business One (B1 Client Memory Dump Files)

5.8 CVE-2026-24319 SBO-CRO-SEC Info Disclosure
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Information disclosure vulnerability in SAP Business One (B1 Client Memory Dump Files) allows high-privileged local attackers to access sensitive business data from memory dump files.

SAP Note 3679346 — apply patch.

Information Disclosure vulnerability in SAP Commerce Cloud

5.3 CVE-2026-24321 CEC-SCC-COM-BC-OCC Info Disclosure
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Information disclosure vulnerability in SAP Commerce Cloud allows unauthenticated attackers to access sensitive e-commerce information with low confidentiality impact.

SAP Note 3687771 — apply update.

Missing authorization check in SAP Business Workflow

5.2 CVE-2026-24312 BC-BMT-WFM Missing Auth
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N

Missing authorization check in SAP Business Workflow allows high-privileged attackers to bypass authorization controls and modify workflow data with user interaction.

SAP Note 3710111 — schedule patch.

Missing Authorization Check in ABAP based SAP systems

5.0 CVE-2026-0486 SV-SMG-SDD Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Missing authorization check in ABAP based SAP systems allows authenticated attackers to access sensitive system information with cross-scope impact on confidentiality.

SAP Note 3691645 — apply fix.

Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)

4.8 CVE-2026-24325 BI-BIP-CMC XSS
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Cross-Site Scripting vulnerability in SAP BusinessObjects Enterprise (Central Management Console) allows high-privileged attackers to inject malicious scripts with cross-scope impact.

SAP Note 3697256 — maintenance window.

Insecure Deserialization vulnerability in SAP NetWeaver (JMS service)

4.4 CVE-2026-23685 BC-JAS-JMS Deserialization
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Insecure deserialization vulnerability in SAP NetWeaver (JMS service) allows high-privileged local attackers to cause denial of service with high availability impact.

SAP Note 3687285 — routine update.

Missing Authorization Check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application)

4.3 CVE-2026-24327 FIN-SEM-CPM-BSC Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application) allows authenticated attackers to access sensitive strategic management data.

SAP Note 3680390 — apply patch.

Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)

4.3 CVE-2026-24326 IS-DFS-BIT Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations) allows authenticated attackers to modify defense and security data with low integrity impact.

SAP Note 3678009 — schedule update.

Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)

4.3 CVE-2026-23688 MM-PUR-SVC-SES Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Missing authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services) allows authenticated attackers to modify service entry data with low integrity impact.

SAP Note 3215823 — apply fix.

Missing Authorization check in a function module in SAP Support Tools Plug-In

4.3 CVE-2026-23681 SV-SMG-SDD Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Missing authorization check in a function module in SAP Support Tools Plug-In allows authenticated attackers to access sensitive support tool data with low confidentiality impact.

SAP Note 3680416 — routine update.

Low Priority Security Updates

CRLF Injection vulnerability in SAP NetWeaver Application Server Java

3.4 CVE-2026-23686 BC-MID-CON-JCO CRLF Injection
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

CRLF injection vulnerability in SAP NetWeaver Application Server Java allows high-privileged attackers to inject CRLF sequences with cross-scope impact on integrity under user interaction conditions.

SAP Note 3673213 — low priority update.

Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)

3.1 CVE-2026-24320 BC-CST-IC Memory Corruption
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Memory corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) allows authenticated attackers to trigger memory corruption with limited confidentiality impact under complex attack conditions.

SAP Note 3678313 — regular maintenance cycle.

Security Advisory prepared by RedRays Cybersecurity Team

Based on SAP Security Notes published 10 February 2026.

© 2026 RedRays. Test patches in development environments before production deployment.

Explore More