Decoding the world of cybersecurity

SAP patches critical NetWeaver flaws

SAP’s June security patch day includes critical NetWeaver, Commerce Cloud, and Data Hub flaws, led by a 9.9-rated SAML authentication issue in NetWeaver AS ABAP.

SAP patches critical NetWeaver flaws
Summary
  • SAP’s June 2026 security patch day includes 15 new security notes.
  • The highest-rated issue is CVE-2026-44748, a 9.9-rated XML signature wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform.
  • The affected products are deeply embedded in enterprise operations, making patch governance and exposure management business-critical.

SAP has released its June 2026 security patch day updates, including critical flaws affecting NetWeaver AS ABAP, NetWeaver AS Java, Commerce Cloud, and Data Hub.

The company published 15 new security notes on 9 June. The highest-rated issue is CVE-2026-44748, an XML signature wrapping vulnerability in SAML authentication affecting SAP NetWeaver AS ABAP and ABAP Platform. SAP rates the issue critical with a CVSS score of 9.9. The affected SAP_BASIS versions span multiple long-running releases, including 702, 731, 740, 750 through 758, and later 816, 918, and 919 versions.

Other critical notes include CVE-2026-27671, a memory corruption vulnerability in SAP NetWeaver and ABAP Platform with a CVSS score of 9.8; CVE-2026-22732, a potential Spring Security vulnerability affecting SAP Commerce Cloud and SAP Data Hub with a CVSS score of 9.1; and CVE-2026-40128, a directory traversal vulnerability in SAP NetWeaver Application Server Java with a CVSS score of 9.0.

SAP’s June patch day page urges customers to visit the support portal and apply patches on priority. No active exploitation was listed on the public patch day page at the time of drafting, but the affected products are central enough to require prompt risk review across large European estates.

SAP systems sit inside finance, manufacturing, logistics, utilities, retail, healthcare, public administration, and critical supply chains. They often process financial records, procurement data, HR information, customer records, orders, production data, and reporting workflows. Authentication and application-server flaws in those environments can carry business consequences well beyond the technical component affected.

The SAML authentication issue is especially sensitive because SAML is commonly used for federated identity and single sign-on. XML signature wrapping attacks can undermine assumptions about signed assertions if an application validates one part of a message while processing another. In enterprise environments, that can create authentication or authorisation risk where trust relationships are complex and identity infrastructure spans multiple systems.

Patch governance for SAP is rarely straightforward. Many deployments are heavily customised, integrated with surrounding applications, and bound to business process windows. Some systems cannot be patched immediately without regression testing, downtime planning, change control, and coordination between infrastructure, application, security, and business teams. That creates a familiar gap between vulnerability severity and remediation speed.

The June release also illustrates the breadth of SAP exposure. NetWeaver AS ABAP, NetWeaver AS Java, Commerce Cloud, Data Hub, S/4HANA, Fiori, BusinessObjects, and other components appear across the patch set. Organisations that treat SAP patching as a single platform task may miss the number of different owners and environments involved.

The immediate response should start with asset visibility. Security and SAP Basis teams need to identify affected versions, internet-exposed components, identity integrations, privileged interfaces, and systems handling sensitive or regulated data. They should also assess compensating controls, such as access restrictions, monitoring, segmentation, and identity policy enforcement, while patches move through testing.

European organisations face increasing pressure to show that operationally critical enterprise platforms are governed as resilience infrastructure. Under regimes such as NIS2 and DORA, weak patch discipline around systems that support essential or important services can become a supervisory issue, not merely an IT backlog item.

SAP’s June patch day places enterprise resource planning, commerce, data hub, and application-server platforms in the same resilience category as other critical business systems. When authentication, memory corruption, and traversal flaws affect those layers, patching becomes part of operational continuity rather than routine maintenance.

×