On Tuesday, SAP, a leading provider of enterprise software, issued 15 new security updates, four of which address critical vulnerabilities in NetWeaver, Commerce, and Data Hub systems.
Critical Vulnerabilities in SAP Systems
The most alarming issue resolved is CVE-2026-44748, a critical XML Signature Wrapping vulnerability in the SAML Authentication component of NetWeaver AS ABAP and ABAP Platform, carrying a CVSS score of 9.9. This flaw allows authenticated users with normal privileges to manipulate signed XML documents, potentially gaining unauthorized access to sensitive data, as explained by security firm Onapsis.
To mitigate this risk, temporarily disabling SAML authentication is recommended, as advised by Onapsis. This measure can prevent attackers from exploiting the vulnerability to alter identity information and access critical user data.
Memory Corruption and Directory Traversal Flaws
Another significant flaw, CVE-2026-27671, with a CVSS score of 9.8, involves memory corruption in NetWeaver and ABAP Platform. This problem arises from the SAP kernel’s insufficient validation of the RFC protocol, which allows unauthenticated attackers to exploit logic errors through crafted requests.
Additionally, SAP patched a directory traversal vulnerability, CVE-2026-40128, in NetWeaver Application Server Java, rated at 9.0 on the CVSS scale. This issue permits unauthenticated attackers to manipulate file inclusion parameters through malicious HTTP logon requests, risking sensitive information exposure and potential denial-of-service attacks.
Impact on Commerce Cloud and Data Hub
The third critical vulnerability, CVE-2026-22732, affects Commerce Cloud and Data Hub, with a CVSS score of 9.1. This weakness impacts applications using the Spring Security framework when specifying HTTP response headers, potentially leading to unrecorded HTTP headers, as highlighted by a NIST advisory.
In addition to these critical patches, SAP addressed high-severity vulnerabilities in Apache Tomcat used in Commerce Cloud and a missing authorization check in NetWeaver and ABAP Platform, enhancing security across its product suite.
These updates underscore SAP’s commitment to maintaining robust security measures in its software, ensuring customers remain protected against emerging threats.
