SAP Patch Day Highlights Critical Risks in Core Business Systems
New security disclosures address high-stakes vulnerabilities in NetWeaver and Commerce Cloud, demanding immediate enterprise action.
The latest infrastructure update from SAP has brought a wave of security concerns to the forefront, forcing administrators to prioritize immediate remediation. With 19 new and updated security notes issued, the scope of these technical oversights underscores the ongoing struggle to maintain integrity within complex enterprise environments.
Critical Flaws Demand Immediate Attention
The most pressing issue, CVE-2026-44747, carries a daunting CVSS score of 9.9. This memory corruption vulnerability within the NetWeaver Application Server ABAP architecture exposes organizations to severe risks, including unauthorized data modification and total system unavailability. Security teams are advised to apply patches immediately or, as an interim measure, disable specific ICF nodes within transaction SICF to mitigate exposure.
Furthermore, CVE-2026-27690 introduces a critical HTTP request smuggling risk in Approuter, which has been assigned a CVSS score of 9.1. This defect specifically impacts non-Cloud Foundry environments, potentially allowing unauthenticated actors to desynchronize request-response cycles.
Credential Risks in Commerce Cloud
Commerce Cloud users face a unique challenge due to CVE-2026-44761, a hardcoded credential issue with a CVSS score of 9.1. This vulnerability stems from sample scripts previously hosted on the SAP Help Portal, which encouraged the use of known credentials for development. If these scripts were migrated into production environments, attackers could potentially obtain OAuth2 access tokens to tamper with system data.
Exploitation requires that the customer execute the sample script and retain the resulting OAuth2 client in production without replacing the hardcoded secret. Customers who removed the sample client or replaced the secret with a strong, unique value are not affected.
— Onapsis, SAP security firm
Summary of Quantifiable Risks
- 19 total security notes released in the July 2026 update.
- CVE-2026-44747 identified with a critical 9.9 CVSS severity rating.
- CVE-2026-27690 and CVE-2026-44761 both carry a 9.1 CVSS severity score.
- 6 additional high-severity notes addressing various components like Integration Suite and SAProuter.
Strategic Implications for Enterprise Security
These findings serve as a stark reminder that even legacy configuration practices, such as the use of sample OAuth2 clients, can evolve into significant attack vectors. For businesses relying on SAP architecture, the primary challenge is not only the application of vendor patches but also the rigorous auditing of production environments to ensure that development-era shortcuts have not been inadvertently retained. As attack surfaces grow more complex, the gap between secure deployment and operational convenience remains a primary concern for the entire cybersecurity ecosystem.