SAP July 2026 Security Update Fixes Critical NetWeaver Memory Corruption Flaw
SAP has released its July 2026 security updates, led by a critical memory corruption vulnerability in SAP NetWeaver Application Server ABAP.
The flaw, tracked as CVE-2026-44747, carries a CVSS score of 9.9. An authenticated attacker with low privileges could exploit it remotely without user interaction, potentially accessing or modifying data or making the affected application unavailable.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
SAP published 16 new security notes and one GitHub security advisory on July 14. The company also updated three notes from previous Patch Day releases, according to the official July 2026 SAP Security Patch Day bulletin.
CVE-2026-44747 receives a critical 9.9 rating
SAP Security Note 3747367 addresses CVE-2026-44747 in NetWeaver Application Server ABAP. SAP classifies the weakness as an out-of-bounds write caused by logical errors in memory management.
The CVE-2026-44747 vulnerability record states that an authenticated attacker can cause memory corruption, leading to unauthorized data access, modification, or system unavailability.
The flaw has a high potential impact across confidentiality, integrity, and availability. Its changed-scope rating also means exploitation in one vulnerable component may affect resources controlled by a different security authority.
| CVSS metric | Value | Meaning |
|---|---|---|
| Attack vector | Network | An attacker can reach the vulnerable component remotely |
| Attack complexity | Low | Exploitation does not require unusual conditions |
| Privileges required | Low | The attacker must have an authenticated low-privilege account |
| User interaction | None | No action from another user is required |
| Scope | Changed | The impact may cross a security boundary |
| Confidentiality impact | High | Sensitive information may become accessible |
| Integrity impact | High | Data may be modified without authorization |
| Availability impact | High | The application may become unavailable |
Multiple SAP kernel versions require attention
The affected components include KRNL64NUC 7.22 and 7.22EXT, along with KRNL64UC 7.22, 7.22EXT, and 7.53.
Affected KERNEL releases include 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, and 9.20. Administrators should check the installed component and patch level rather than relying only on the broader NetWeaver product name.
The NetWeaver memory corruption advisory identifies SAP Security Note 3747367 as the vendor’s remediation reference. Access to the complete note and correction instructions requires an SAP support account.
- Identify systems running the affected kernel components.
- Review SAP Security Note 3747367 for the required correction.
- Confirm dependencies and kernel compatibility before deployment.
- Test the patch on a representative non-production system.
- Accelerate deployment on business-critical and exposed systems.
SAP Approuter request smuggling flaw scores 9.1
SAP also fixed CVE-2026-27690, a critical HTTP request smuggling vulnerability in SAP Approuter. The issue affects versions of the SAP Approuter Node.js package earlier than 20.10.0.
An unauthenticated attacker can send a specially crafted request that causes the front-end and back-end systems to interpret HTTP traffic differently. This request-response desynchronization may expose user responses or make the system unavailable.
The CVE-2026-27690 entry assigns the vulnerability a 9.1 rating. Its vector indicates a network-based attack with low complexity, no required privileges, and no user interaction.
SAP addresses the flaw through Security Note 3720138. Organizations using affected Approuter packages should update to version 20.10.0 or later after checking application compatibility.
Sample OAuth credentials put Commerce Cloud data at risk
The third new critical issue, CVE-2026-44761, affects SAP Commerce Cloud releases HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21. SAP assigned it a CVSS score of 9.1.
A vulnerable deployment may retain a sample OAuth2 client with publicly documented credentials from SAP’s sample configuration. If an organization leaves those credentials unchanged, an unauthenticated attacker could use them to request a valid access token.
According to the CVE-2026-44761 security record, the token could allow the attacker to invoke certain APIs and read or modify data. SAP reports high confidentiality and integrity impact but no direct availability impact.
- Apply the correction in SAP Security Note 3753495.
- Search for the sample OAuth2 client in affected environments.
- Remove or disable sample clients that are not required.
- Rotate credentials that may match publicly documented examples.
- Review API and token logs for suspicious authentication activity.
June NetWeaver Java note receives a critical update
SAP updated Security Note 3727078 for CVE-2026-40128, a directory traversal vulnerability in the NetWeaver Application Server Java Web Container. The issue affects ENGINEAPI 7.50 and has a CVSS score of 9.0.
Directory traversal vulnerabilities can allow access to files outside the intended application directory. The exact impact and required corrective package depend on the affected SAP component and configuration.
Administrators who applied the original June correction should review the updated CVE-2026-40128 information and SAP Security Note 3727078 to determine whether they need further action.
SAP fixes high-severity RCE and library vulnerabilities
The July release includes seven high-priority notes. These address flaws in SAP Integration Suite, SAProuter for Windows, NetWeaver AS Java, SAP Approuter, SAP Commerce Cloud, and the Change and Transport System Attach Tool.
One notable issue is CVE-2026-58233, a remote code execution vulnerability in ctsattach. It carries a CVSS score of 7.6 and affects CTS_UPLOAD_CLT 1.
SAP also patched multiple Apache Camel vulnerabilities in Edge Integration Cell versions earlier than 8.43.11 and several Apache Tomcat vulnerabilities used within supported SAP Commerce Cloud releases.
| Note or advisory | CVE | Affected SAP product | Issue | Priority | CVSS |
|---|---|---|---|---|---|
| 3747367 | CVE-2026-44747 | NetWeaver AS ABAP | Memory corruption | Critical | 9.9 |
| 3720138 | CVE-2026-27690 | SAP Approuter | HTTP request smuggling | Critical | 9.1 |
| 3753495 | CVE-2026-44761 | SAP Commerce Cloud | Insecure sample credentials | Critical | 9.1 |
| 3727078 | CVE-2026-40128 | NetWeaver AS Java Web Container | Directory traversal, updated June note | Critical | 9.0 |
| 3758101 | CVE-2026-40860, CVE-2026-40453, CVE-2026-33454 | SAP Integration Suite Edge Integration Cell | Apache Camel vulnerabilities | High | 8.8 |
| 3692165 | CVE-2026-0487 | SAProuter for Windows | DLL hijacking | High | 8.4 |
| 3748227 | CVE-2026-44752 | NetWeaver AS Java Configuration Wizard | Cross-site scripting | High | 8.2 |
| 3741519 | CVE-2026-44745 | SAP Approuter | Open redirect | High | 8.1 |
| 3763800 | CVE-2026-43512, CVE-2026-41293, CVE-2026-43515 | SAP Commerce Cloud | Apache Tomcat vulnerabilities | High | 8.1 |
| 3773304 | CVE-2026-58233 | SAP Change and Transport System Attach Tool | Remote code execution | High | 7.6 |
| 3746678 | CVE-2026-44759 | NetWeaver Enterprise Portal | Cross-site scripting | Medium | 6.1 |
| GHSA-p8gx-753q-v89p | CVE-2026-44767 | UI5 Web Components Base | Allowlist bypass and cross-origin CSS injection | Medium | 6.1 |
| 3537373 | CVE-2026-44769 | S/4HANA Project Management | SQL injection | Medium | 5.5 |
| 3754659 | CVE-2026-44760 | NetWeaver AS ABAP Business Server Pages | Cross-site scripting | Medium | 4.7 |
| 3515598 | CVE-2026-44771 | S/4HANA Draft Operation | Missing authorization check | Medium | 4.3 |
| 3713902 | CVE-2026-44770 | S/4HANA Create Single Payment | Missing authorization check | Medium | 4.3 |
| 3682699 | CVE-2026-24315 | SAP Fiori Launchpad | Path traversal, updated June note | Medium | 4.2 |
| 3155685 | CVE-2026-44768 | SAP CRM WebClient UI | Security misconfiguration | Medium | 4.1 |
| 3732522 | CVE-2026-44753 | SAP HANA XS classic model | Information disclosure | Low | 3.7 |
| 3726899 | CVE-2025-68161 | NetWeaver AS Java | Potential Apache Log4j vulnerability, updated June note | Low | 3.3 |
UI5 Web Components receives a GitHub advisory
The separate GitHub security advisory GHSA-p8gx-753q-v89p covers CVE-2026-44767 in UI5 Web Components Base versions earlier than 2.21.0.
The vulnerability allows a bypass in setThemeRoot() that can enable cross-origin CSS injection. SAP rates the issue as medium severity with a CVSS score of 6.1.
Development teams that directly include the affected package should verify dependency versions and update to UI5 Web Components Base 2.21.0 or later. They should also check lock files and indirect dependencies rather than reviewing only top-level package declarations.
Administrators should prioritize the three critical new flaws
Security teams should begin with the three new critical notes, particularly Security Note 3747367 for the NetWeaver ABAP memory corruption flaw. Systems exposed to untrusted networks or supporting essential business processes deserve accelerated treatment.
The SAP Approuter request smuggling flaw and the Commerce Cloud credentials issue both permit attacks without prior authentication. Their remediation should not wait for the next routine maintenance cycle when affected services remain reachable.
Organizations should also revisit the updated NetWeaver Java directory traversal note, even if they installed the June patch. An updated security note may include revised affected-version data, correction instructions, or additional safeguards.
- Inventory the affected SAP products and component versions.
- Download the relevant notes and corrections from SAP for Me.
- Back up systems and configurations before maintenance.
- Test kernel and application updates in non-production environments.
- Restrict network access while patches remain pending.
- Review privileged, OAuth, and service accounts.
- Monitor logs for unexplained errors, token requests, and data access.
SAP urges customers to apply relevant patches promptly
SAP states in its July Patch Day release that customers should visit the support portal and apply patches as a priority to protect their SAP environments.
Administrators should use the full SAP Security Notes as the final authority for prerequisites, correction instructions, workarounds, and required support packages. The public Patch Day table provides an overview but does not replace each product-specific note.
Teams using UI5 Web Components should likewise consult the UI5 Web Components advisory and confirm that deployed applications no longer include vulnerable package versions.
The number and range of affected products make coordinated patch management essential. SAP environments often support finance, commerce, identity, logistics, and other critical operations, so teams should combine rapid remediation with compatibility testing and recovery planning.
FAQ
CVE-2026-44747 is the most serious issue. It is a memory corruption vulnerability in SAP NetWeaver Application Server ABAP with a CVSS score of 9.9.
Yes. Exploitation requires an authenticated attacker with low privileges. The attack can occur over a network and does not require user interaction.
SAP released 16 new security notes and one GitHub security advisory. It also published three updates to previously released security notes.
The HTTP request smuggling vulnerability affects SAP Approuter Node.js package versions earlier than 20.10.0. Administrators should update after checking application compatibility.
Administrators should prioritize the three new critical issues in NetWeaver AS ABAP, SAP Approuter, and SAP Commerce Cloud. They should also review the updated critical NetWeaver AS Java note from June.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages