Decoding the world of cybersecurity

SAP fixes critical NetWeaver and Commerce flaws

SAP’s July Security Patch Day includes critical issues in NetWeaver Application Server ABAP, SAP Approuter, SAP Commerce Cloud, and NetWeaver Application Server Java.

SAP fixes critical NetWeaver and Commerce flaws
Summary
  • SAP’s July 2026 Security Patch Day includes 16 new security notes, one GitHub advisory, and three updates.
  • Critical issues affect SAP NetWeaver Application Server ABAP, SAP Approuter, SAP Commerce Cloud, and NetWeaver Application Server Java.
  • SAP estates support finance, logistics, retail, manufacturing, and public-sector processes, making remediation an operational resilience issue.

SAP has released its July 2026 Security Patch Day updates, including critical vulnerabilities affecting NetWeaver Application Server ABAP, SAP Approuter, SAP Commerce Cloud, and NetWeaver Application Server Java.

The company says the July release includes 16 new security notes, one GitHub security advisory, and three updates to previously released notes. SAP is urging customers to apply patches on priority to protect their SAP landscapes.

The highest-rated issue is CVE-2026-44747, a memory corruption vulnerability in SAP NetWeaver Application Server ABAP with a CVSS score of 9.9. SAP also lists CVE-2026-27690, an HTTP request smuggling vulnerability in SAP Approuter with a CVSS score of 9.1, and CVE-2026-44761, an insecure sample credentials issue in SAP Commerce Cloud with a CVSS score of 9.1. An updated June note for CVE-2026-40128, a directory traversal vulnerability in SAP NetWeaver Application Server Java, carries a CVSS score of 9.0.

SAP’s patch page does not state that these issues are being actively exploited. The exposure sits in the concentration of critical flaws across systems that support financial operations, procurement, logistics, retail, manufacturing, customer commerce, and public administration.

Large SAP environments are rarely straightforward to remediate. Organisations may be running older kernels, heavily customised business processes, integrations with identity systems, data warehouses, APIs, cloud services, and third-party support arrangements. A patch note can generate substantial operational work where business owners, application teams, security teams, and suppliers have to assess compatibility, downtime, testing, rollback, and compensating controls.

SAP vulnerabilities therefore sit close to operational resilience. The affected platforms can support order management, payments, supply planning, customer data, stock movement, tax, payroll, or regulated reporting. A serious compromise of business application infrastructure can affect the integrity of transactions, the availability of core processes, and confidence in business records.

The Approuter issue is notable because request smuggling flaws can produce difficult exposure around how applications interpret traffic across front-end and back-end components. In integrated environments, inconsistent parsing, proxy behaviour, and authentication assumptions can undermine controls that appear sound at the application boundary. SAP Commerce Cloud adds a customer-facing dimension where commerce, identity, and transaction systems may be exposed to the internet.

Patch governance in SAP estates needs a business-criticality view rather than a purely technical queue. Organisations need an inventory of affected versions, an understanding of internet exposure, prioritisation by process importance, and clear ownership between internal teams and service providers. Where patches cannot be applied immediately, compensating controls, monitoring, access restrictions, and risk acceptance need to be documented.

SAP’s July Security Patch Day gives customers the authoritative list of notes and affected products. The enterprise task is to turn that list into controlled remediation across systems that sit inside core business operations.

×