SAP Patches Critical NetWeaver, Commerce Vulnerabilities

https://www.securityweek.com/sap-patches-critical-netweaver-commerce-vulnerabilities/

Publish Date: 2026-06-09 08:15:30

SAP Releases Critical Security Patches Addressing Multiple High-Severity Flaws

SAP unveiled a slew of security notes on Tuesday, focusing on addressing 15 vulnerabilities, four of which are classified as critical-severity. Among them, the most severe is CVE-2026-44748, scoring a 9.9 on the CVSS scale, related to an XML Signature Wrapping issue in SAML Authentication for NetWeaver AS ABAP and ABAP Platform. An attacker with normal privileges can exploit this flaw to send tampered XML documents that disrupt system operations and access sensitive user data. Another critical vulnerability is CVE-2026-27671, a memory corruption flaw in NetWeaver and ABAP Platform due to improper RFC protocol validation. This allows unauthenticated attackers to manipulate memory management, leading to potentially severe system breaches. SAP also patched two other critical flaws impacting Commerce Cloud and Data Hub which rely on the Spring Security framework and a directory traversal vulnerability in NetWeaver Application Server Java that could enable unauthenticated access to sensitive information. Additionally, high-severity security notes were issued to resolve multiple Apache Tomcat vulnerabilities in Commerce Cloud and a missing authorization check in NetWeaver and ABAP Platform.

Key Points:

SAP released 15 security notes with four critical-severity patches.
The most severe CVE-2026-44748 affects SAML Authentication with a CVSS score of 9.9.
CVE-2026-27671 involves memory corruption in NetWeaver and ABAP Platform.
CVE-2026-22732 impacts the Spring Security framework used in Commerce Cloud and Data Hub.
A critical directory traversal vulnerability CVE-2026-40128 was also resolved.