SAP Security Notes: June 2026 Patch Day
SAP NetWeaver AS ABAP and ABAP Platform affected by two critical HotNews Notes
Highlights of May SAP Security Notes analysis include:
- June Summary – Twenty new and updated SAP security patches released, including six HotNews Notes and three High Priority Notes
- SAML authentication – XML Signature Wrapping vulnerability poses confidentiality, integrity and availability of the application at high risk
- Onapsis Research Labs Contribution – Our team supported SAP in patching six vulnerabilities, including two tagged as HotNews and one tagged as High Priority
SAP has published twenty new and updated SAP Security Notes in its June Patch Day, including six HotNews Notes and three High Priority Notes. Six of the sixteen new Security Notes were published in contribution with the Onapsis Research Labs.
The HotNews Notes in Detail
The Onapsis Research Labs (ORL) supported SAP in patching two of the four new HotNews Notes.
SAP Security Note #3746332, tagged with a CVSS score of 9.9, patches a critical XML Signature Wrapping vulnerability in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform. The ORL team detected that the application allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier. Due to an improper XML signature verification, the manipulated identity information is accepted, leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application. The only available temporary workaround is to disable SAML authentication.
SAP Security Note #3717897, tagged with a CVSS score of 9.8, patches a Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform. External researchers detected that the SAP kernel improperly validates the RFC protocol. This allows an unauthenticated attacker to send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption.
SAP Security Note #3748262, tagged with a CVSS score of 9.1, patches a potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub. These applications use a version of Spring Security that could be vulnerable to CVE-2026-22732. Under certain conditions Spring Security might not write HTTP response headers, including important security headers, which might lead to high impact on confidentiality and integrity, no impact on availability. Although SAP Commerce Cloud uses a multi-layer mechanism to set HTTP security response headers, it does not provide a fallback for headers that are exclusively managed by Spring.
SAP Security Note #3727078, tagged with a CVSS score of 9.0, addresses a Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container). Researchers of the Onapsis Research Labs were able to craft a malicious HTTP logon request as an unauthenticated user that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Upon processing of the included file an attacker can view or modify sensitive information or render any part of the local system unavailable.
Two HotNews Notes were updated since last SAP Patch Day:
SAP Security Note #3747787 patches the malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool that were temporarily available for download from the NPM registry on April 29, 2026. SAP has updated the note with another malicious NPM package and additional hash keys that identify vulnerable versions of the affected packages.
SAP Security Note #3733064, tagged with a CVSS score of 9.6, was initially released on SAP’s May Patch Day and patches a Missing authentication check vulnerability in SAP Commerce Cloud configuration. This note has been re-released with textual changes in the ‘Symptom’, ‘Other Terms’, ‘Solution’ and ‘Workaround’ sections.Â
The High Priority Notes in Detail
SAP Security Note #3747484, tagged with a CVSS score of 7.4, addresses multiple known vulnerabilities in Apache Tomcat within SAP Commerce Cloud. The vulnerabilities impact certificate-based authentication and validation mechanisms of the application and are tracked under CVE-2026-29145, CVE-2025-66614, and CVE-2026-24734. The note provides patches that use a version of Apache Tomcat that is no more vulnerable to these CVEs.
SAP Security Note #3735546, tagged with a CVSS score of 7.1, was released in collaboration with the Onapsis Research Labs. Our team identified a program in Application Server ABAP of SAP NetWeaver and ABAP Platform that allows a low-privileged authenticated attacker to overwrite information belonging to another user, resulting in escalation of privileges.
SAP Security Note #373247, tagged with a CVSS score of 8.2, was initially released in collaboration with the Onapsis Research Labs on SAP’s May Patch Day. SAP has added additional correction instructions to patch the critical OS Command Injection Vulnerability in SAP Forecasting & Replenishment.
Onapsis Contribution
The Onapsis Research Labs (ORL) contributed significantly to SAP’s June Patch Day. In addition to two HotNews Notes and one High Priority Note, the ORL supported SAP in patching three Medium Priority SAP Security Notes:
SAP Security Note #3751691, tagged with a CVSS score of 6.5, patches an SQL Injection vulnerability in SAP S/4HANA. Our researchers identified a remote-enabled function module that could be exploited by an authenticated attacker to potentially execute unauthorized database queries. On successful exploits, they can access sensitive information to which they should not otherwise have access to.
SAP Security Note #3723655, tagged with a CVSS score of 6.1, addresses a Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet). While analyzing the servlet, the ORL team detected that an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim’s browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability.
SAP Security Note #3715280, tagged with a CVSS score of 4.7, describes a Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager. Due to improper encoding of URL parameters, unauthenticated attackers are able to craft a specially crafted URL, which, when accessed by a victim, could execute an injected script in the user’s browser within the context of the application.
Summary & Conclusions
With four new HotNews Notes and two new High Priority Notes, SAP’s June Patch Day is a more noisy one. And with six out of sixteen new SAP Security Notes, including two HotNews and one High Priority Note, the Onapsis Research Labs could once more significantly contribute to this SAP Patch Day.
| SAP Note | Type | Description | Priority | CVSS |
| 3746332 | New | [CVE-2026-44748] XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform BC-SEC-LGN-SML | HotNews | 9.9 |
| 3717897 | New | [CVE-2026-27671] Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform BC-MID-RFC | HotNews | 9.8 |
| 3733064 | Update | [CVE-2026-34263] Missing authentication check in SAP Commerce Cloud configuration CEC-SCC-CDM-BO-APP | HotNews | 9.6 |
| 3748262 | New | [CVE-2026-22732] Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub CEC-SCC-PLA-PL | HotNews | 9.1 |
| 3727078 | New | [CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) BC-JAS-WEB | HotNews | 9 |
| 3747787 | Update | Malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool BC-XS-CDX-NJS | HotNews | – |
| 3732471 | Update | [CVE-2026-34259] OS Command Injection Vulnerability in SAP Forecasting & Replenishment SCM-FRE-FRP | High | 8.2 |
| 3747484 | New | [CVE-2026-29145] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud CEC-SCC-PLA-PL | High | 7.4 |
| 3735546 | New | [CVE-2026-44751] Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform BC-DWB-DIC-AC | High | 7.1 |
| 3748819 | New | [CVE-2026-44754] Missing caller identification check-in for ODP Data Replication APIs BC-BW-ODP | Medium | 6.6 |
| 3751691 | New | [CVE-2026-44744] SQL Injection vulnerability in SAP S/4HANA CA-EPT-SSC | Medium | 6.5 |
| 3723655 | New | [CVE-2026-44746] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet) BW-BEX-UDI | Medium | 6.1 |
| 3715280 | New | [CVE-2026-44757] Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager SV-SMG-DIA-WLY | Medium | 4.7 |
| 3687096 | New | [CVE-2026-44755] Email Spoofing vulnerability in SAP Business Objects Business Intelligence Platform BI-BIP-SEC | Medium | 4.3 |
| 3673181 | New | [CVE-2026-44750] Missing Authorization check in SAP MDG (Review Match Groups Application) CA-MDG-CMP-BP | Medium | 4.3 |
| 3433366 | New | [CVE-2026-44749] Information Disclosure vulnerability in SAP Gateway OPU-GW-V4 | Medium | 4.3 |
| 3718508 | Update | [CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management ICM | Medium | 4.3 |
| 3682699 | New | [CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad) CA-FLP-FE-COR | Medium | 4.2 |
| 3706000 | New | [CVE-2026-44743] Security Misconfiguration vulnerability in SAP Business Objects BI-BIP-CMC | Low | 3.7 |
| 3726899 | New | [CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java BC-JAS-SEC-UME | Low | 3.3 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.