Summary:

SAP released 15 new security notes on June 10, 2026, as part of its monthly Security Patch Day. This release is particularly critical, containing four HotNews vulnerabilities rated between CVSS 9.0 and 9.9, two High-priority issues, seven Medium-priority issues, and two Low-priority issues. The four critical vulnerabilities include XML Signature Wrapping in SAML Authentication (CVE-2026-44748, CVSS 9.9), unauthenticated memory corruption through the RFC protocol (CVE-2026-27671, CVSS 9.8), Spring Security HTTP header failure in Commerce Cloud and Data Hub (CVE-2026-22732, CVSS 9.1), and a directory traversal vulnerability in NetWeaver AS Java Web Container (CVE-2026-40128, CVSS 9.0).

The CVSS 9.9 SAML vulnerability allows a low-privileged authenticated attacker to forge signed SAML assertions and bypass authentication assurance, crossing trust boundaries with complete confidentiality, integrity, and availability impact. The CVSS 9.8 RFC memory corruption vulnerability is unauthenticated and requires no credentials. Patches cover SAP NetWeaver AS ABAP, ABAP Platform, NetWeaver AS Java, SAP S/4HANA, SAP Commerce Cloud, SAP Fiori, SAP BusinessObjects BI Platform, SAP Master Data Governance, SAP HANA Cloud, and SAP Enterprise Portal. UAE and MENA organizations running SAP enterprise platforms must apply SAP Notes 3746332, 3717897, 3748024, and 3709420 immediately, as these notes address the four critical vulnerabilities.

Technical Description:

SAP's June 2026 Security Patch Day addresses several critical vulnerabilities across its enterprise software portfolio.

The most severe issue, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping vulnerability affecting Security Assertion Markup Language authentication within SAP NetWeaver AS ABAP and ABAP Platform environments. The flaw allows authenticated attackers to manipulate signed Security Assertion Markup Language assertions, bypass authentication assurances, and impersonate privileged users, potentially compromising the entire SAP environment.

CVE-2026-27671 (CVSS 9.8) affects the SAP kernel's Remote Function Call protocol handling. The vulnerability allows unauthenticated attackers to exploit memory corruption conditions that may result in remote code execution, arbitrary code injection, and complete system compromise.

Another critical vulnerability, CVE-2026-22732 (CVSS 9.1), affects SAP Commerce Cloud and SAP Data Hub through a Spring Security weakness that causes security-critical HTTP response headers to be omitted under certain conditions. This increases exposure to attacks including cross-site scripting, cache poisoning, and clickjacking.

CVE-2026-40128 (CVSS 9.0) is a directory traversal vulnerability affecting SAP NetWeaver AS Java Web Container. The flaw allows unauthenticated attackers to manipulate file inclusion parameters and access or modify files outside intended directories, potentially exposing sensitive configuration files and system data.

SAP also released patches for a missing authorization check vulnerability (CVE-2026-44751, CVSS 7.1) and multiple Apache Tomcat vulnerabilities impacting SAP Commerce Cloud (CVE-2026-29145, CVSS 7.4).

The details and technicalities of the vulnerabilities are discussed further.

Exploitation Demonstration:

• CVE-2026-44748 (CVSS 9.9) – SAML XML Signature Wrapping (SAP Note 3746332): A low-privileged authenticated attacker tampers with a signed SAML XML assertion. The modified identity is accepted by the verifier, allowing the attacker to impersonate any user, including administrators. This results in complete confidentiality, integrity, and availability impact across trust boundaries. The vulnerability affects SAP_BASIS versions 702–919, covering all supported ABAP systems. Temporary mitigation: disable SAML authentication.
• CVE-2026-27671 (CVSS 9.8) – Unauthenticated RFC Memory Corruption (SAP Note 3717897): An unauthenticated attacker sends a crafted RFC request exploiting SAP kernel memory management logic. This can result in complete confidentiality, integrity, and availability impact, with the potential for malicious code injection. No credentials are required, making it the highest exploitation risk among the four critical vulnerabilities.
• CVE-2026-22732 (CVSS 9.1) – Spring Security Header Omission in Commerce Cloud (SAP Note 3748024): Security-critical HTTP response headers are omitted under certain conditions, enabling cache poisoning, cross-site scripting, and clickjacking attacks. This affects SAP Commerce Cloud HY_COM 2205, COM_CLOUD 2211, and SAP Data Hub.
• CVE-2026-40128 (CVSS 9.0) – NetWeaver AS Java Directory Traversal (SAP Note 3709420): An unauthenticated attacker manipulates HTTP login request parameters to traverse outside intended directories. This may allow access to or modification of sensitive configuration files and system data. The vulnerability affects ENGINEAPI 7.50.
• High Priority: CVE-2026-29145 (CVSS 7.4) addresses multiple Apache Tomcat vulnerabilities in SAP Commerce Cloud (SAP Note 3761235). CVE-2026-44751 (CVSS 7.1) addresses a missing authorization check in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3735546). Seven Medium-priority and two Low-priority notes were also released. The full list is available through SAP ONE Support Launchpad.

Ease of Exploitation:

SAP’s June 2026 Patch Day is one of the most critical monthly releases of 2026. The CVSS 9.9 SAML vulnerability (CVE-2026-44748) is the highest-rated SAP flaw of the year and affects an exceptionally broad version range, meaning virtually every supported SAP ABAP system is impacted.

The unauthenticated CVSS 9.8 RFC memory corruption vulnerability (CVE-2026-27671) requires no credentials and directly affects confidentiality, integrity, and availability within the SAP kernel. Both vulnerabilities have been classified as HotNews issues, SAP’s highest severity category requiring immediate remediation.

Onapsis, SecurityBridge, Red Rays, and Heise Online have independently assessed these vulnerabilities as requiring urgent action. UAE and MENA organizations using SAP as a core ERP, financial, and human resources platform should treat this as an emergency patching event.

Conclusion:

The four critical vulnerabilities affect every major SAP deployment category, including ABAP-based ERP and SAP S/4HANA environments (CVE-2026-44748 and CVE-2026-27671), Java-based NetWeaver and Enterprise Portal environments (CVE-2026-40128), and Commerce Cloud environments (CVE-2026-22732).

The SAP_BASIS version range affected by CVE-2026-44748 spans versions 702 to 919, covering more than a decade of SAP ABAP releases. As a result, no supported system is exempt unless SAML authentication has been disabled. The unauthenticated nature of CVE-2026-27671 makes it especially dangerous for SAP systems exposed to the internet or untrusted networks.

SAP Basis and Information Technology Security teams should coordinate emergency change management activities to apply SAP Notes 3746332 and 3717897 before any other patching priorities in the current cycle.

Impact:

Successful exploitation of CVE-2026-44748 allows attackers to impersonate any SAP user, including administrators, resulting in complete compromise of confidentiality, integrity, and availability across the SAP environment.

Successful exploitation of CVE-2026-27671 can lead to unauthenticated system compromise through memory corruption within the SAP kernel. For UAE and MENA organizations using SAP as their core ERP, financial, human resources, and supply chain platform, these vulnerabilities create a significant risk of business system compromise, exposure of sensitive financial and personnel records, fraudulent transaction insertion, and operational disruption.

UAE Personal Data Protection Law breach notification obligations may apply if personal data stored within SAP environments is exposed. National Cybersecurity Authority Essential Cybersecurity Controls reporting requirements may also apply to critical infrastructure operators using SAP.

IOC and Context Details:

Recommended Actions:

• Apply SAP HotNews Note 3746332 (CVE-2026-44748) immediately across all SAP_BASIS 702–919 systems. If patching cannot be completed immediately, disable SAML authentication as a temporary mitigation and coordinate changes with business stakeholders.
• Apply SAP HotNews Note 3717897 (CVE-2026-27671) immediately. As this is an unauthenticated SAP kernel vulnerability, no compensating control fully mitigates the risk. Restrict RFC connectivity from untrusted network segments until patching is completed.
• Apply SAP Notes 3748024 (CVE-2026-22732) and 3709420 (CVE-2026-40128) within the emergency maintenance window. Restrict access to affected NetWeaver AS Java and Commerce Cloud services from untrusted networks until remediation is completed.
• Apply SAP Notes 3735546 (CVE-2026-44751) and 3761235 (CVE-2026-29145) during the same maintenance cycle and do not defer them to future patch windows.
• Integrate SAP Security Notes into the organization’s vulnerability management process. Use SAP ONE Support Launchpad to identify unpatched systems and prioritize remediation based on business criticality and severity.
• Review and validate SAML authentication configurations across all SAP ABAP systems. Ensure SAML is enabled only where operationally required and that trust relationships are properly configured and monitored.
• Monitor SAP logs for unusual RFC connections, unexpected file access activity within NetWeaver AS Java environments, and anomalous SAML authentication events. Forward logs to a centralized security monitoring platform for alerting and investigation.
• Maintain secure offline backups of SAP configurations and business-critical data. Successful exploitation of these vulnerabilities may enable attackers to alter configurations, manipulate transactions, or exfiltrate sensitive enterprise data.

Reference:

https://www.securityweek.com/sap-patches-critical-netweaver-commerce-vulnerabilities/

https://cybersecuritynews.com/sap-security-patch-day-june/

https://redrays.io/blog/sap-security-patch-day-june-2026/