Overview SAP’s June 2026 Security Patch Day introduced 15 new security notes, including four critical‑severity vulnerabilities that demand immediate enterprise attention. These flaws affect SAP NetWeaver, SAP Commerce Cloud, SAP Data Hub, and other core components — underscoring the need for rapid patch management across all SAP landscapes.
Critical Vulnerabilities Patched
SAP strongly urges customers to apply updates via the SAP Support Portal without delay.
| CVE ID | Component | Severity | Impact |
|---|---|---|---|
| CVE‑2026‑44748 | SAML Authentication (XML Signature Wrapping) | 9.9 Critical | Tampered identity acceptance → privilege escalation |
| CVE‑2026‑27671 | RFC Protocol Validation (Kernel) | 9.8 Critical | Memory corruption via unauthenticated RFC requests |
| CVE‑2026‑22732 | Spring Security (SAP Commerce Cloud / Data Hub) | 9.1 Critical | Remote attack impacting confidentiality and integrity |
| CVE‑2026‑40128 | Directory Traversal (NetWeaver Java Web Container) | 9.0 Critical | Access to sensitive resources via path traversal |
The XML Signature Wrapping flaw (CVE‑2026‑44748) is particularly severe, spanning SAP_BASIS versions 702 through 919. It allows attackers to modify signed XML documents and impersonate legitimate users — a direct threat to enterprise identity integrity.
High‑Severity Patches
Two additional high‑priority vulnerabilities were addressed:
- CVE‑2026‑29145 — multiple Apache Tomcat flaws within SAP Commerce Cloud (HY_COM 2205, COM_CLOUD 2211).
- CVE‑2026‑44751 — missing authorization check in SAP NetWeaver AS ABAP (versions 700–816).
Both can lead to integrity impact and partial availability disruption if left unpatched.
Medium and Low Severity Notes
SAP also released several moderate and low‑risk advisories, including:
- CVE‑2026‑44744 — SQL Injection in SAP S/4HANA (S4FND 102–109).
- CVE‑2026‑44746 — Reflected XSS in NetWeaver Java (JDBC Test Servlet).
- CVE‑2025‑68161 — residual Log4j exposure in NetWeaver AS Java.
These serve as reminders that third‑party dependencies continue to introduce residual risk within SAP ecosystems.
Recommended Remediation Order
Security teams should prioritize patching as follows:
- CVE‑2026‑44748 — apply SAML XML Signature fix immediately; disable SAML temporarily if needed.
- CVE‑2026‑27671 — patch all affected SAP Kernel versions (7.22–9.19).
- CVE‑2026‑22732 & CVE‑2026‑40128 — update SAP Commerce Cloud, Data Hub, and NetWeaver Java.
- CVE‑2026‑29145 — apply Tomcat bundle patch for embedded server vulnerabilities.
- Remaining notes — schedule within monthly patch cycle, prioritizing S/4HANA SQL Injection and NetWeaver XSS fixes.
Expert in the Cloud Insight
This patch cycle demonstrates SAP’s commitment to addressing both core and third‑party risks. The breadth of affected versions — from NetWeaver ABAP to Commerce Cloud — highlights the importance of structured SAP patch management and continuous monitoring of the SAP Security Notes portal.
For enterprises, the key takeaway is clear: patch velocity and dependency visibility are now critical to SAP cyber resilience.
Leave a Reply