SAP Patches Critical RCE and SQL Injection Flaws in Commerce Cloud and S/4HANA
SAP's May 2026 security updates address 15 vulnerabilities, including two critical flaws enabling unauthenticated remote code execution in Commerce Cloud and SQL injection in S/4HANA.
SAP has released its May 2026 security patch batch, fixing 15 vulnerabilities across multiple enterprise products, with two critical flaws in SAP Commerce Cloud and S/4HANA that pose severe risks to large-scale deployments.
The first critical vulnerability, tracked as CVE-2026-34263, is a missing authentication check in SAP Commerce Cloud, an enterprise-grade e-commerce platform used by online stores owned by large retailers and global brands. According to SAP's advisory, improper Spring Security configuration allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution. This flaw carries a high impact on confidentiality, integrity, and availability of the application, effectively granting unauthenticated attackers full remote control over vulnerable servers.
The second critical flaw, CVE-2026-34260, targets SAP S/4HANA, the cloud-based Enterprise Resource Planning (ERP) suite that will replace the company's on-premises ECC ERP system. This low-complexity SQL injection vulnerability enables attackers with basic privileges to inject malicious SQL statements into database queries. SAP explains that the application directly concatenates malicious user input into SQL queries without proper validation or sanitization, allowing attackers to gain unauthorized access to sensitive database information and potentially crash the application. The vulnerability has a high impact on confidentiality and availability, while integrity remains unaffected.
SAP's May 2026 security advisory also lists fixes for one high-severity flaw and 11 medium-severity issues, covering command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service vulnerabilities across the product portfolio.
While SAP has not found evidence that any of the vulnerabilities patched today were exploited in the wild, the company's products remain a high-value target. CISA has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog in recent years, including two that were abused in ransomware attacks. Most recently, multiple official SAP npm packages were compromised in a supply-chain attack aimed at stealing credentials and authentication tokens from developers' systems.
As the world's largest vendor of enterprise software, SAP serves 99 of the 100 largest companies worldwide and reported total revenues exceeding €36 billion in fiscal year 2025. The scale of SAP's customer base means that vulnerabilities in Commerce Cloud and S/4HANA — both core platforms for global retail and enterprise operations — carry outsized risk. Organizations running these platforms should prioritize patching CVE-2026-34263 and CVE-2026-34260 immediately, given the potential for unauthenticated remote code execution and database compromise.