Skip links
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day July 2026 | RedRays

SAP has released its July 2026 security patch package containing 19 security notes addressing vulnerabilities across enterprise SAP environments. This release is unusually critical, with four HotNews vulnerabilities rated up to CVSS 9.9, six High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP NetWeaver Application Server ABAP and Java, SAP Commerce Cloud, SAP CRM, SAP Approuter, SAP Fiori, SAP HANA Extended Application Services, SAP Change and Transport System, SAProuter, and SAP Integration Suite. Three notes (CVE-2026-24315, CVE-2026-40128, CVE-2025-68161) were originally released in June 2026 and have been updated as part of this cycle.

Total Security Notes
19
HotNews Critical
4
High Priority
6
Medium Priority
7
Low Priority
2

Executive Summary

  • Critical Memory Corruption: CVE-2026-44747 (CVSS 9.9) in SAP NetWeaver Application Server ABAP lets a low-privileged attacker corrupt memory via crafted requests, with cross-scope impact enabling potential arbitrary code execution and full system compromise.
  • Critical HTTP Request Smuggling: CVE-2026-27690 (CVSS 9.1) in SAP Approuter lets an unauthenticated remote attacker smuggle crafted requests past the router, with high impact on confidentiality and availability.
  • Critical Insecure Sample Credentials: CVE-2026-44761 (CVSS 9.1) in SAP Commerce Cloud ships with default sample credentials that, left in place, let an unauthenticated attacker gain unauthorized access with high impact on confidentiality and integrity.
  • Critical Directory Traversal: CVE-2026-40128 (CVSS 9.0, updated from June) in the Web Container of SAP NetWeaver AS Java allows an unauthenticated attacker to traverse outside the intended directory, with cross-scope compromise of confidentiality, integrity, and availability.

Critical HotNews Vulnerabilities

Memory Corruption Vulnerability in SAP NetWeaver Application Server ABAP

9.9 CVE-2026-44747 BC-FES-ITS Memory Corruption
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

A memory corruption vulnerability in SAP NetWeaver Application Server ABAP allows a low-privileged authenticated attacker to corrupt memory via crafted requests, potentially achieving arbitrary code execution. With a changed scope, successful exploitation results in complete compromise of confidentiality, integrity, and availability across trust boundaries.

SAP Note 3747367 — apply HotNews patch immediately.

HTTP Request Smuggling Vulnerability in SAP Approuter

9.1 CVE-2026-27690 BC-XS-APR Request Smuggling
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

An HTTP request smuggling vulnerability in SAP Approuter allows an unauthenticated remote attacker to smuggle crafted requests past the router. Successful exploitation results in high impact on confidentiality and availability, with no effect on integrity.

SAP Note 3720138 — patch within 24 hours.

Insecure Sample Credentials in SAP Commerce Cloud

9.1 CVE-2026-44761 CEC-SCC-COM-BC-OCC Insecure Credentials
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SAP Commerce Cloud shipped with insecure sample credentials in a default configuration. An unauthenticated remote attacker who finds these samples still present can gain unauthorized access, resulting in high impact on confidentiality and integrity. This is a documentation-classified fix - remove or rotate any sample credentials still active in your landscape.

SAP Note 3753495 — emergency review required immediately.

Directory Traversal Vulnerability in SAP NetWeaver Application Server Java (Web Container)

9.0 CVE-2026-40128 BC-JAS-WEB Directory Traversal
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A directory traversal vulnerability in the Web Container of SAP NetWeaver Application Server Java allows an unauthenticated attacker, under complex conditions, to access and manipulate files outside the intended directory. With a changed scope, successful exploitation results in complete compromise of confidentiality, integrity, and availability. This note was originally released 9 June 2026 and has been updated 14 July 2026.

SAP Note 3727078 — apply HotNews patch immediately.

High Priority Security Issues

Multiple Vulnerabilities in Apache Tomcat within SAP Commerce Cloud

8.1 Multiple CVEs CEC-SCC-PLA-PL Third-Party Component
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Multiple vulnerabilities in the bundled Apache Tomcat within SAP Commerce Cloud allow unauthenticated remote attackers, under complex conditions, to compromise the application server. Successful exploitation results in high impact on confidentiality, integrity, and availability.

SAP Note 3763800 — apply high priority patch.

Open Redirect Vulnerability in SAP Approuter

8.1 CVE-2026-44745 BC-CP-APR Open Redirect
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

An open redirect vulnerability in SAP Approuter allows an unauthenticated attacker, with user interaction, to redirect victims to an attacker-controlled site, for example to harvest credentials via a convincing phishing page. Successful exploitation results in high impact on confidentiality and integrity.

SAP Note 3741519 — apply high priority patch.

Multiple Vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell)

8.8 CVE-2026-40860 LOD-HCI-PI-CON-SOAP Third-Party Component
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Multiple vulnerabilities in the bundled Apache Camel within SAP Integration Suite (Edge Integration Cell) allow a low-privileged authenticated attacker to compromise the integration runtime. Successful exploitation results in high impact on confidentiality, integrity, and availability.

SAP Note 3758101 — apply high priority patch.

DLL Hijacking Vulnerability in SAProuter on Microsoft Windows

8.4 CVE-2026-0487 BC-CST-NI DLL Hijacking
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A DLL hijacking vulnerability in SAProuter on Microsoft Windows allows an unauthenticated attacker with local access to load a malicious library into the SAProuter process. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the host.

SAP Note 3692165 — apply high priority patch.

Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Application Server Java (Configuration Wizard)

8.2 CVE-2026-44752 BC-INS-CTC-RT XSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

A Cross-Site Scripting vulnerability in the Configuration Wizard of SAP NetWeaver Application Server Java allows an unauthenticated attacker, with user interaction, to inject scripts that execute in an administrator's browser. With a changed scope, successful exploitation results in high impact on confidentiality and low impact on integrity.

SAP Note 3748227 — apply high priority patch.

Remote Code Execution Vulnerability in SAP Change and Transport System Attach Tool (ctsattach)

7.6 CVE-2026-58233 BC-CTS-TMS-PLS Remote Code Execution
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

A remote code execution vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) allows a low-privileged authenticated attacker, with user interaction, to execute arbitrary code. Successful exploitation results in high impact on confidentiality and integrity, with low impact on availability.

SAP Note 3773304 — apply high priority patch.

Medium Priority Vulnerabilities

Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Enterprise Portal

6.1 CVE-2026-44759 EP-PIN-AI-SRA XSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

A Cross-Site Scripting vulnerability in SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts that execute in a victim's browser when the user interacts with crafted content. With a changed scope, successful exploitation results in low impact on confidentiality and integrity.

SAP Note 3746678 — schedule patch.

SQL Injection Vulnerability in SAP S/4HANA Project Management (PPM-PRO)

5.5 CVE-2026-44769 PPM-PRO SQL Injection
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L

A SQL injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged attacker, under complex conditions, to inject malicious SQL statements into backend queries. Successful exploitation results in high impact on confidentiality, with low impact on integrity and availability.

SAP Note 3537373 — apply patch.

Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Application Server ABAP (Business Server Pages)

4.7 CVE-2026-44760 BC-BSP XSS
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

A Cross-Site Scripting vulnerability in Business Server Pages applications on SAP NetWeaver Application Server ABAP allows an unauthenticated attacker, under complex conditions and with user interaction, to inject scripts that execute in a victim's browser, leading to cross-scope impact on confidentiality and integrity.

SAP Note 3754659 — schedule patch.

Missing Authorization Check in SAP S/4HANA (Draft Operation)

4.3 CVE-2026-44771 FIN-FSCM-CLM-COP Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

A missing authorization check in the draft operation of SAP S/4HANA allows a low-privileged authenticated attacker to perform unauthorized draft-related operations. Successful exploitation results in low impact on confidentiality, with no effect on integrity or availability.

SAP Note 3515598 — apply update.

Missing Authorization Check in SAP S/4HANA (Create Single Payment)

4.3 CVE-2026-44770 FI-FIO-AP-PAY Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

A missing authorization check in the Create Single Payment function of SAP S/4HANA allows a low-privileged authenticated attacker to perform payment-related operations without holding the required authorization. Successful exploitation results in low impact on confidentiality.

SAP Note 3713902 — apply update.

Path Traversal Vulnerability in SAP Fiori (Launchpad)

4.2 CVE-2026-24315 CA-FLP-FE-COR Path Traversal
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

A path traversal vulnerability in the SAP Fiori launchpad allows an unauthenticated attacker, under complex conditions and with user interaction, to access resources outside the intended path, leading to low impact on confidentiality and integrity. This note was originally released 9 June 2026 and has been updated 14 July 2026.

SAP Note 3682699 — schedule update.

Security Misconfiguration in SAP CRM (WebClient UI)

4.1 CVE-2026-44768 CA-WUI-UI Misconfiguration
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

A security misconfiguration in the WebClient UI of SAP CRM allows a low-privileged authenticated attacker, with user interaction, to affect data displayed to other users. With a changed scope, successful exploitation results in low impact on integrity.

SAP Note 3155685 — apply update.

Low Priority Security Updates

Information Disclosure Vulnerability in SAP HANA Extended Application Services (User Self Service)

3.7 CVE-2026-44753 HAN-AS-XS Information Disclosure
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

An information disclosure vulnerability in the User Self Service application of SAP HANA Extended Application Services (classic model) allows an unauthenticated attacker, under complex conditions, to obtain limited sensitive information, leading to low impact on confidentiality.

SAP Note 3732522 — regular maintenance cycle.

Potential Vulnerability in Apache Log4j Library Used by SAP NetWeaver AS Java

3.3 CVE-2025-68161 BC-JAS-SEC-UME Third-Party Component
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

A potential vulnerability in the Apache Log4j library used by SAP NetWeaver AS Java allows a high-privileged attacker, under complex conditions, to affect the User Management Engine with low impact on confidentiality and integrity. This note was originally released 9 June 2026 and has been updated 14 July 2026.

SAP Note 3726899 — regular maintenance cycle.

Security Advisory prepared by RedRays Cybersecurity Team

Based on SAP Security Notes published 14 July 2026.

© 2026 RedRays. Test patches in development environments before production deployment.

Explore More