SAP patches critical NetWeaver flaws in June 2026 Security Patch Day

SAP has released its June 2026 Security Patch Day updates, fixing 15 new security issues across NetWeaver, ABAP Platform, Commerce Cloud, Data Hub, S/4HANA, BusinessObjects, and other products.

The most urgent fixes address four critical vulnerabilities, including two high-risk SAP NetWeaver and ABAP Platform flaws that enterprise admins should prioritize immediately. SAP published the June updates on June 9, 2026, according to the company’s June 2026 Security Patch Day bulletin.

The most severe issue is CVE-2026-44748, an XML Signature Wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform. The NVD entry for CVE-2026-44748 rates it as critical with a CVSS score of 9.9.

Critical SAP NetWeaver and ABAP flaws fixed

CVE-2026-44748 can allow an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to a verifier. If the system accepts the altered identity data, attackers could gain unauthorized access to sensitive user information or disrupt normal system use.

The flaw affects a wide range of SAP_BASIS versions, including 702, 731, 740, 750 through 758, 816, 918, and 919. Because SAML authentication often sits close to identity and access workflows, this vulnerability deserves fast review in business-critical SAP environments.

The second major NetWeaver issue is CVE-2026-27671, a memory corruption vulnerability in the SAP Kernel used by Application Server ABAP. The NVD entry for CVE-2026-27671 says an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management.

CVE	Affected product	Severity	CVSS	Impact
CVE-2026-44748	SAP NetWeaver AS ABAP and ABAP Platform	Critical	9.9	SAML XML Signature Wrapping can lead to unauthorized access and disruption.
CVE-2026-27671	SAP NetWeaver AS ABAP and ABAP Platform	Critical	9.8	Unauthenticated RFC request can trigger memory corruption.
CVE-2026-22732	SAP Commerce Cloud and SAP Data Hub	Critical	9.1	Spring Security issue can affect confidentiality and integrity.
CVE-2026-40128	SAP NetWeaver Application Server Java Web Container	Critical	9.0	Directory traversal can expose or modify sensitive resources.

SAP Commerce Cloud and NetWeaver Java also affected

SAP also fixed CVE-2026-22732, a critical Spring Security vulnerability affecting SAP Commerce Cloud and SAP Data Hub. The issue affects HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, 2211-JDK21, and DHUB_CLOUD 2211.

Onapsis said in its June 2026 SAP Security Notes analysis that the affected applications use a Spring Security version that may fail to write certain HTTP response headers under specific conditions. This can create high impact on confidentiality and integrity, although availability is not affected.

The fourth critical flaw, CVE-2026-40128, affects the SAP NetWeaver Application Server Java Web Container, specifically ENGINEAPI 7.50. An unauthenticated attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters, which may allow directory traversal and local file processing.

High-severity SAP patches released in June

SAP’s June bulletin also includes two high-priority fixes. CVE-2026-29145 addresses multiple Apache Tomcat vulnerabilities within SAP Commerce Cloud. SAP lists the issue as high severity with a CVSS score of 7.4.

The second high-severity flaw is CVE-2026-44751, a missing authorization check in SAP NetWeaver AS ABAP and ABAP Platform. SAP says it affects SAP_BASIS versions from 700 through 758 and 816, with a CVSS score of 7.1.

The SAP June 2026 Patch Day list also includes medium and low-severity issues in ODP Data Replication APIs, SAP S/4HANA, SAP NetWeaver AS Java, SAP Wily Introscope Enterprise Manager, SAP MDG, SAP BusinessObjects BI Platform, SAP Fiori Launchpad, and SAP NetWeaver AS Java components using Apache Log4j.

• Patch CVE-2026-44748 first if SAML authentication is used in affected SAP NetWeaver AS ABAP or ABAP Platform systems.
• Patch CVE-2026-27671 quickly because it does not require authentication and affects SAP Kernel components.
• Review SAP Commerce Cloud and SAP Data Hub deployments for the Spring Security and Apache Tomcat updates.
• Check NetWeaver Java systems for ENGINEAPI 7.50 exposure linked to CVE-2026-40128.
• Schedule medium and low-severity fixes based on exposure, internet access, business criticality, and compensating controls.

Why SAP admins should not delay these fixes

SAP systems often support finance, supply chain, identity, manufacturing, HR, and other core enterprise processes. A critical flaw in NetWeaver, ABAP Platform, or Commerce Cloud can create risk far beyond a single server.

The CVE-2026-44748 vulnerability record confirms that the SAML flaw can have high impact on confidentiality, integrity, and availability. That makes the issue especially important for systems that rely on federated authentication or handle sensitive business data.

The CVE-2026-27671 vulnerability record is also serious because no credentials are required. A network attacker can send a crafted RFC request, which increases the urgency for systems with reachable RFC services.

SAP patching guidance for June 2026

SAP recommends that customers use the support portal and apply security corrections with priority. The company’s broader Security Notes and News page explains that SAP Security Patch Day occurs on the second Tuesday of every month and provides corrections focused on potential weaknesses or attacks.

Admins should identify affected products, map installed component versions, apply the relevant SAP Notes, and test business-critical workflows after deployment. Teams should also monitor SAP for possible updates to June’s notes, especially for systems exposed to remote users or integrated with identity services.

SAP’s Security Patch Day guidance also notes that security fixes for NetWeaver-based products can be delivered through support packages, so admins should align monthly Security Notes with their regular support package and maintenance strategy.

Priority	Action	Reason
Immediate	Patch CVE-2026-44748 and CVE-2026-27671	Both affect core NetWeaver or ABAP components and have critical CVSS scores.
Immediate	Review CVE-2026-40128 exposure	The NetWeaver Java flaw can be reached by unauthenticated attackers.
High	Patch SAP Commerce Cloud and SAP Data Hub issues	Spring Security and Tomcat flaws can affect web-facing enterprise services.
Planned	Apply medium and low-severity fixes	Several issues still affect sensitive platforms such as S/4HANA and BusinessObjects.

Onapsis separately counted 20 new and updated SAP security patches in its June Patch Day summary, including six HotNews Notes and three High Priority Notes. That count includes updated notes, while SAP’s official June bulletin lists 15 new Security Notes.

For enterprise security teams, the practical takeaway is clear: review June’s SAP notes now, prioritize the four critical vulnerabilities, and verify that exposed NetWeaver, ABAP, Commerce Cloud, and Data Hub systems receive the required fixes.

FAQ