SAP has released its July 2026 security patch package containing 19 security notes addressing vulnerabilities across enterprise SAP environments. This release is unusually critical, with four HotNews vulnerabilities rated up to CVSS 9.9, six High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP NetWeaver Application Server ABAP and Java, SAP Commerce Cloud, SAP CRM, SAP Approuter, SAP Fiori, SAP HANA Extended Application Services, SAP Change and Transport System, SAProuter, and SAP Integration Suite. Three notes (CVE-2026-24315, CVE-2026-40128, CVE-2025-68161) were originally released in June 2026 and have been updated as part of this cycle.
19
4
6
7
2
Executive Summary
- Critical Memory Corruption: CVE-2026-44747 (CVSS 9.9) in SAP NetWeaver Application Server ABAP lets a low-privileged attacker corrupt memory via crafted requests, with cross-scope impact enabling potential arbitrary code execution and full system compromise.
- Critical HTTP Request Smuggling: CVE-2026-27690 (CVSS 9.1) in SAP Approuter lets an unauthenticated remote attacker smuggle crafted requests past the router, with high impact on confidentiality and availability.
- Critical Insecure Sample Credentials: CVE-2026-44761 (CVSS 9.1) in SAP Commerce Cloud ships with default sample credentials that, left in place, let an unauthenticated attacker gain unauthorized access with high impact on confidentiality and integrity.
- Critical Directory Traversal: CVE-2026-40128 (CVSS 9.0, updated from June) in the Web Container of SAP NetWeaver AS Java allows an unauthenticated attacker to traverse outside the intended directory, with cross-scope compromise of confidentiality, integrity, and availability.
Critical HotNews Vulnerabilities
Memory Corruption Vulnerability in SAP NetWeaver Application Server ABAP
A memory corruption vulnerability in SAP NetWeaver Application Server ABAP allows a low-privileged authenticated attacker to corrupt memory via crafted requests, potentially achieving arbitrary code execution. With a changed scope, successful exploitation results in complete compromise of confidentiality, integrity, and availability across trust boundaries.
HTTP Request Smuggling Vulnerability in SAP Approuter
An HTTP request smuggling vulnerability in SAP Approuter allows an unauthenticated remote attacker to smuggle crafted requests past the router. Successful exploitation results in high impact on confidentiality and availability, with no effect on integrity.
Insecure Sample Credentials in SAP Commerce Cloud
SAP Commerce Cloud shipped with insecure sample credentials in a default configuration. An unauthenticated remote attacker who finds these samples still present can gain unauthorized access, resulting in high impact on confidentiality and integrity. This is a documentation-classified fix - remove or rotate any sample credentials still active in your landscape.
Directory Traversal Vulnerability in SAP NetWeaver Application Server Java (Web Container)
A directory traversal vulnerability in the Web Container of SAP NetWeaver Application Server Java allows an unauthenticated attacker, under complex conditions, to access and manipulate files outside the intended directory. With a changed scope, successful exploitation results in complete compromise of confidentiality, integrity, and availability. This note was originally released 9 June 2026 and has been updated 14 July 2026.
High Priority Security Issues
Multiple Vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Multiple vulnerabilities in the bundled Apache Tomcat within SAP Commerce Cloud allow unauthenticated remote attackers, under complex conditions, to compromise the application server. Successful exploitation results in high impact on confidentiality, integrity, and availability.
Open Redirect Vulnerability in SAP Approuter
An open redirect vulnerability in SAP Approuter allows an unauthenticated attacker, with user interaction, to redirect victims to an attacker-controlled site, for example to harvest credentials via a convincing phishing page. Successful exploitation results in high impact on confidentiality and integrity.
Multiple Vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell)
Multiple vulnerabilities in the bundled Apache Camel within SAP Integration Suite (Edge Integration Cell) allow a low-privileged authenticated attacker to compromise the integration runtime. Successful exploitation results in high impact on confidentiality, integrity, and availability.
DLL Hijacking Vulnerability in SAProuter on Microsoft Windows
A DLL hijacking vulnerability in SAProuter on Microsoft Windows allows an unauthenticated attacker with local access to load a malicious library into the SAProuter process. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the host.
Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Application Server Java (Configuration Wizard)
A Cross-Site Scripting vulnerability in the Configuration Wizard of SAP NetWeaver Application Server Java allows an unauthenticated attacker, with user interaction, to inject scripts that execute in an administrator's browser. With a changed scope, successful exploitation results in high impact on confidentiality and low impact on integrity.
Remote Code Execution Vulnerability in SAP Change and Transport System Attach Tool (ctsattach)
A remote code execution vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) allows a low-privileged authenticated attacker, with user interaction, to execute arbitrary code. Successful exploitation results in high impact on confidentiality and integrity, with low impact on availability.
Medium Priority Vulnerabilities
Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Enterprise Portal
A Cross-Site Scripting vulnerability in SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts that execute in a victim's browser when the user interacts with crafted content. With a changed scope, successful exploitation results in low impact on confidentiality and integrity.
SQL Injection Vulnerability in SAP S/4HANA Project Management (PPM-PRO)
A SQL injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged attacker, under complex conditions, to inject malicious SQL statements into backend queries. Successful exploitation results in high impact on confidentiality, with low impact on integrity and availability.
Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Application Server ABAP (Business Server Pages)
A Cross-Site Scripting vulnerability in Business Server Pages applications on SAP NetWeaver Application Server ABAP allows an unauthenticated attacker, under complex conditions and with user interaction, to inject scripts that execute in a victim's browser, leading to cross-scope impact on confidentiality and integrity.
Missing Authorization Check in SAP S/4HANA (Draft Operation)
A missing authorization check in the draft operation of SAP S/4HANA allows a low-privileged authenticated attacker to perform unauthorized draft-related operations. Successful exploitation results in low impact on confidentiality, with no effect on integrity or availability.
Missing Authorization Check in SAP S/4HANA (Create Single Payment)
A missing authorization check in the Create Single Payment function of SAP S/4HANA allows a low-privileged authenticated attacker to perform payment-related operations without holding the required authorization. Successful exploitation results in low impact on confidentiality.
Path Traversal Vulnerability in SAP Fiori (Launchpad)
A path traversal vulnerability in the SAP Fiori launchpad allows an unauthenticated attacker, under complex conditions and with user interaction, to access resources outside the intended path, leading to low impact on confidentiality and integrity. This note was originally released 9 June 2026 and has been updated 14 July 2026.
Security Misconfiguration in SAP CRM (WebClient UI)
A security misconfiguration in the WebClient UI of SAP CRM allows a low-privileged authenticated attacker, with user interaction, to affect data displayed to other users. With a changed scope, successful exploitation results in low impact on integrity.
Low Priority Security Updates
Information Disclosure Vulnerability in SAP HANA Extended Application Services (User Self Service)
An information disclosure vulnerability in the User Self Service application of SAP HANA Extended Application Services (classic model) allows an unauthenticated attacker, under complex conditions, to obtain limited sensitive information, leading to low impact on confidentiality.
Potential Vulnerability in Apache Log4j Library Used by SAP NetWeaver AS Java
A potential vulnerability in the Apache Log4j library used by SAP NetWeaver AS Java allows a high-privileged attacker, under complex conditions, to affect the User Management Engine with low impact on confidentiality and integrity. This note was originally released 9 June 2026 and has been updated 14 July 2026.
Security Advisory prepared by RedRays Cybersecurity Team
Based on SAP Security Notes published 14 July 2026.
© 2026 RedRays. Test patches in development environments before production deployment.

