SAP has rolled out 20 new and updated security advisories during its April 2026 security update, addressing a particularly critical flaw in its systems. The most notable of these is CVE-2026-27681, a high-priority SQL injection vulnerability affecting Business Planning and Consolidation and Business Warehouse platforms, which was assigned a CVSS score of 9.9.
Understanding the Critical Vulnerability
The vulnerability, as detailed by the security firm Onapsis, involves an ABAP program that permits a user with minimal privileges to upload a file containing arbitrary SQL commands that are subsequently executed. This loophole could allow attackers to manipulate database content or execute harmful code.
Jonathan Stross, a senior product manager at Pathlock, explained that the flaw could be exploited to directly interact with the database, enabling attackers to read or alter data without requiring user interaction. This presents a significant risk as attackers could potentially access sensitive financial data, modify reports, or corrupt crucial database information.
Mitigation Measures and Other Updates
In response to this threat, SAP has disabled the vulnerable executable code to prevent exploitation. Additionally, SAP has remedied a high-severity issue, tracked as CVE-2026-34256, which involved a missing authorization check in ERP and S/4 HANA systems. This flaw could allow unauthorized execution of ABAP programs.
Among the remaining updates, 16 security notes address medium-severity vulnerabilities across various SAP applications, including BusinessObjects, Business Analytics, and others. These vulnerabilities could lead to issues such as information leaks, denial-of-service attacks, or unauthorized code execution.
Importance of Timely Updates
The final two advisories cater to low-severity code injection vulnerabilities in NetWeaver and Landscape Transformation. Although SAP has no reports of these vulnerabilities being exploited in real-world scenarios, users are urged to apply these updates promptly to safeguard their systems.
With cybersecurity threats constantly evolving, SAP’s proactive patch management underscores the importance of regular updates to maintain system integrity and protect sensitive business operations from potential breaches.
