SAP has launched fixes for 15 vulnerabilities, together with 4 severity flaws, affecting SAP NetWeaver and SAP Commerce Cloud as a part of its June 2026 safety patch bundle.
NetWeaver is SAP’s core utility platform and middleware stack that gives the inspiration for a lot of SAP enterprise functions, together with ERP methods, and handles features similar to utility supply, integration, authentication, person administration, and knowledge processing.
Commerce Cloud is an enterprise e-commerce platform (previously often called Hybris). It allows organizations to construct and handle on-line shops, digital gross sales channels, product catalogs, buyer accounts, and order administration methods for B2B and B2C commerce.
On this month’s safety bulletin, SAP has listed the next important vulnerabilities as addressed:
- CVE-2026-44748 (CVSS 9.9) – XML signature wrapping in SAP NetWeaver AS ABAP and ABAP platforms might permit authentication bypass in SAML-based environments.
- CVE-2026-27671 (CVSS 9.8) – Reminiscence corruption flaw in SAP NetWeaver/ABAP Platform Software Server ABAP.
- CVE-2026-22732 (CVSS 9.1) – Spring Safety associated vulnerability affecting SAP Commerce Cloud and SAP Knowledge Hub.
- CVE-2026-40128 (CVSS 9.0) – Listing traversal vulnerability within the SAP NetWeaver Software Server Java internet container.
The outline for CVE-2026-44748 states, “SAP NetWeaver Software Server ABAP and ABAP Platform permits an authenticated attacker with extraordinary privileges to acquire a sound signed message and ship a modified signed XML doc to a verifier.”
“This might permit compromised identification info to be accepted, resulting in unauthorized entry to delicate person knowledge and disrupting regular system use.”
For CVE-2026-27671, an attacker might exploit this vulnerability with out authentication by leveraging incorrect kernel validation to ship a crafted RFC request to a susceptible endpoint, inflicting reminiscence corruption.
Aside from the important safety points talked about above, SAP additionally addressed two high-severity vulnerabilities. CVE-2026-29145 consists of a number of Apache Tomcat flaws affecting Commerce Cloud and CVE-2026-44751, a lacking authentication verify difficulty in NetWeaver AS ABAP.
The German enterprise software program firm additionally addressed varied SQL injection, path traversal, cross-site scripting (XSS), e mail spoofing, and authentication bypass points throughout a number of SAP merchandise.
Defects and mitigation recommendation and workaround particulars can be found solely to SAP prospects with a Safety Portal account.
Organizations utilizing affected merchandise ought to prioritize patching, particularly the SAML authentication flaw (CVE-2026-44748) and reminiscence corruption difficulty (CVE-2026-27671). These are very extreme and might severely affect an enterprise surroundings.
Safety groups doc 54% of profitable assaults and difficulty a warning on solely 14%. The remaining strikes invisibly by means of the surroundings.
Picus’ whitepaper exhibits the best way to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
