In a crucial update, SAP’s June 2026 Security Patch Day, held on June 9, introduced 15 security notes to tackle vulnerabilities across its main product lines. Among these, four critical issues require immediate attention from enterprises to prevent potential security breaches.
The company advises customers to prioritize these patches by accessing the SAP Support Portal, emphasizing swift action to secure their SAP environments.
Key Vulnerabilities in SAP Products
Leading the list of concerns is CVE-2026-44748, a critical XML Signature Wrapping flaw in SAML Authentication impacting SAP NetWeaver AS ABAP and the ABAP Platform, carrying a CVSS score of 9.9. This vulnerability allows low-privileged attackers to exploit signed XML documents, risking unauthorized access and data breaches. This issue affects a broad range of SAP_BASIS versions from 702 to 919.
Another significant vulnerability, CVE-2026-27671 (CVSS 9.8), affects the Application Server ABAP kernel, presenting a memory corruption risk due to improper RFC protocol validation. This flaw is particularly dangerous as it can be exploited without authentication, potentially compromising the confidentiality and availability of systems.
Other Critical Fixes
Another severe issue addressed is CVE-2026-22732 (CVSS 9.1) within SAP Commerce Cloud and SAP Data Hub. This Spring Security vulnerability could allow unauthenticated remote attackers to breach system confidentiality and integrity.
CVE-2026-40128 (CVSS 9.0) highlights a Directory Traversal vulnerability in the SAP NetWeaver Application Server Java Web Container. This flaw could enable attackers to access sensitive resources, posing a high risk to system integrity.
Additional Security Measures and Recommendations
Besides the critical updates, SAP released two high-severity patches. CVE-2026-29145 (CVSS 7.4) addresses Apache Tomcat vulnerabilities in SAP Commerce Cloud, which could be exploited by unauthenticated attackers. CVE-2026-44751 (CVSS 7.1) fixes a Missing Authorization Check in SAP NetWeaver AS ABAP, impacting system integrity.
SAP advises organizations to address these vulnerabilities promptly, prioritizing the most severe flaws to ensure the security of their systems. The company stresses the importance of maintaining a structured patch management process and staying informed about any additional updates.
As the SAP Security Patch Day occurs on the second Tuesday of each month, enterprises are urged to regularly check the SAP Security Notes portal for updates and incorporate these practices into their security strategies.
