SAP’s June 2026 Security Patch Day — observed on Tuesday, June 9 — delivered 15 new security notes addressing vulnerabilities across core SAP products. The release includes four critical-severity flaws, including a CVSS 9.9 XML Signature Wrapping vulnerability in SAP NetWeaver ABAP that could allow privilege escalation across enterprise systems. Organizations running SAP environments should treat this cycle as a high-priority patching event.
Critical Vulnerabilities: Immediate Action Required
Four vulnerabilities in this cycle carry a Critical severity rating:
- CVE-2026-44748 (CVSS 9.9) — XML Signature Wrapping in SAML Authentication: Affects SAP NetWeaver AS ABAP and ABAP Platform across an extensive range of SAP_BASIS versions (702 through 919). An authenticated low-privilege attacker can transmit modified XML documents to the SAML verifier, potentially enabling acceptance of tampered identity information, unauthorized access to sensitive data, and full privilege escalation. The wide version footprint makes the patch deployment footprint exceptionally large. As a temporary workaround, SAML authentication can be disabled, though this does not cover all signed XML use cases.
- CVE-2026-27671 (CVSS 9.8) — Memory Corruption in AS ABAP Kernel via RFC: Uniquely dangerous because it is unauthenticated. An attacker can send a specially crafted RFC (Remote Function Call) request that exploits logical errors in memory management without valid credentials, resulting in high-impact compromise of confidentiality, integrity, and availability. Affects multiple KRNL64NUC, KRNL64UC, and KERNEL versions (7.22–9.19).
- CVE-2026-22732 (CVSS 9.1) — Spring Security Vulnerability in SAP Commerce Cloud and SAP Data Hub: Allows unauthenticated remote attackers to impact confidentiality and integrity without user interaction. Patching SAP Commerce Cloud environments is essential for any organization running public-facing SAP storefronts.
- CVE-2026-40128 (CVSS 9.0) — Directory Traversal in SAP NetWeaver AS Java Web Container: A network-accessible attacker can traverse directory structures to reach sensitive resources in the ENGINEAPI 7.50 component, with high impact across all three security dimensions (confidentiality, integrity, availability).
High-Severity Patches
Two high-priority notes round out the upper tier of this cycle:
- CVE-2026-29145 (CVSS 7.4) bundles multiple Apache Tomcat vulnerabilities (including CVE-2025-66614 and CVE-2026-24734) within SAP Commerce Cloud, allowing unauthenticated exploitation of the embedded Tomcat server.
- CVE-2026-44751 (CVSS 7.1) patches a Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform (SAP_BASIS 700–816), where a low-privileged network attacker could achieve high integrity impact and partial availability disruption.
Medium and Low Severity Notes
The remaining nine notes cover vulnerabilities across SAP S/4HANA (SQL injection, CVE-2026-44744 CVSS 6.5), ODP Data Replication APIs (missing caller identification), SAP NetWeaver AS Java (Reflected XSS, Log4j-related advisory), SAP Wily Introscope, SAP MDG, SAP BusinessObjects BI Platform (email spoofing), SAP Fiori (path traversal), and SAP Business Objects (security misconfiguration).
Notably, a Log4j exposure (CVE-2025-68161, CVSS 3.3) in SAP NetWeaver AS Java serves as a reminder that third-party library dependencies embedded in SAP products continue to introduce residual risk even years after the original Log4Shell disclosure.
Recommended Patching Sequence
Security teams managing SAP landscapes should prioritize in this order:
- First: CVE-2026-44748 (SAML XML Signature fix) — apply immediately across all SAP_BASIS versions in scope.
- Second: CVE-2026-27671 (Kernel RFC memory corruption) — patch all affected kernel versions to close the unauthenticated attack vector.
- Third: CVE-2026-22732 and CVE-2026-40128 — update SAP Commerce Cloud, SAP Data Hub, and NetWeaver Java environments.
- Fourth: CVE-2026-29145 — apply the Apache Tomcat bundle patch for SAP Commerce Cloud.
- Remaining notes: Schedule within the standard monthly patch cycle, prioritizing the S/4HANA SQL injection and NetWeaver AS Java XSS fixes.
SAP Security Patch Day is scheduled for the second Tuesday of every month. Organizations are strongly advised to implement a structured SAP patch management process and monitor the SAP Security Notes portal for any out-of-band updates following this cycle.
Source: Cyber Security News, June 9, 2026