Bright Nexus

Published on June 9, 2026

SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched

Severity

Critical

Detail

SAP has released 15 new security notes as part of its June 2026 Security Patch Day, addressing multiple vulnerabilities across core SAP products. Among the updates are four critical-severity vulnerabilities affecting SAP NetWeaver, SAP Commerce Cloud, SAP Data Hub, and related enterprise platforms. The most severe vulnerability, CVE-2026-44748, is an XML Signature Wrapping flaw in SAML Authentication affecting SAP NetWeaver AS ABAP and ABAP Platform. An authenticated low-privileged attacker can manipulate signed XML messages, potentially leading to unauthorized access, privilege escalation, and exposure of sensitive user information.

Another critical vulnerability, CVE-2026-27671 affects the SAP Application Server ABAP kernel. The flaw results from improper RFC protocol validation and can be exploited by an unauthenticated attacker through specially crafted RFC requests, potentially causing memory corruption and compromising system confidentiality, integrity, and availability.

SAP also addressed CVE-2026-22732, a Spring Security vulnerability affecting SAP Commerce Cloud and SAP Data Hub. The flaw may allow unauthenticated remote attackers to impact system confidentiality and integrity without user interaction. Additionally, CVE-2026-40128 is a Directory Traversal vulnerability in the SAP NetWeaver Application Server Java Web Container. A network-accessible attacker can exploit the flaw to access sensitive resources and files outside intended directories.

SAP further released patches for several high, medium, and low severity vulnerabilities, including authorization bypasses, SQL injection, cross-site scripting (XSS), path traversal, email spoofing, security misconfigurations, and third-party component exposures.

CVE IDSummaryCVSS Score
CVE-2026-44748XML Signature Wrapping vulnerability in SAML Authentication allowing manipulation of signed XML messages, unauthorized access, and privilege escalation.9.9 (Critical)
CVE-2026-27671Improper RFC protocol validation leading to memory corruption and unauthenticated system compromise.9.8 (Critical)
CVE-2026-22732Spring Security vulnerability allowing unauthenticated remote attacks against SAP Commerce Cloud and SAP Data Hub.9.1 (Critical)
CVE-2026-40128Directory Traversal vulnerability in SAP NetWeaver Application Server Java Web Container.9.0 (Critical)

Affected Products

The following SAP products are affected and should be reviewed for applicable security updates:

  • SAP NetWeaver AS ABAP
  • SAP ABAP Platform
  • SAP Application Server ABAP Kernel
  • SAP NetWeaver Application Server Java
  • SAP Commerce Cloud
  • SAP Data Hub
  • SAP S/4HANA
  • SAP BusinessObjects BI Platform
  • SAP Fiori Launchpad
  • SAP MDG
  • SAP Wily Introscope Enterprise Manager
  • ODP Data Replication APIs

Recommendation

Organizations should promptly apply SAP Security Patch Day updates and implement the following measures to reduce the risk of exploitation:

  • Prioritize immediate deployment of fixes for CVE-2026-44748, CVE-2026-27671, CVE-2026-22732, and CVE-2026-40128 due to their critical severity and potential enterprise-wide impact.
  • Update all affected SAP Kernel versions to remediate the unauthenticated RFC memory corruption vulnerability.
  • Apply SAP NetWeaver SAML authentication fixes across affected SAP_BASIS versions. Where operationally feasible, consider disabling SAML authentication as a temporary mitigation until patches are deployed.
  • Upgrade affected SAP Commerce Cloud, SAP Data Hub, and SAP NetWeaver Java components to address Spring Security, Directory Traversal, and Apache Tomcat vulnerabilities.
  • Review authorization assignments and restrict privileged access within SAP environments to minimize exposure from authorization-related vulnerabilities.
  • Prioritize remediation of medium-severity vulnerabilities affecting SAP S/4HANA, SAP NetWeaver AS Java, and other business-critical systems as part of the organization’s regular patch management cycle.
  • Establish a structured SAP patch management process and continuously monitor SAP Security Notes for future security updates and advisories.

Source

https://cybersecuritynews.com/sap-security-patch-day-june/

https://nvd.nist.gov/vuln/detail/CVE-2026-44748

https://nvd.nist.gov/vuln/detail/CVE-2026-27671

https://nvd.nist.gov/vuln/detail/CVE-2026-22732

https://nvd.nist.gov/vuln/detail/CVE-2026-40128