SAP: Twelve Vulnerabilities Disclosed Together on June 9, 2026

Key findings

• Twelve SAP vulnerabilities disclosed simultaneously on June 9, 2026.
• Critical flaws include memory corruption, unauthorized data access, and path traversal.
• Vulnerabilities affect core SAP products like NetWeaver, ABAP Platform, and Business Objects.
• Issues range from privilege escalation and SQL injection to XSS and email spoofing.
• SAP has released patches; prompt application is crucial for mitigation.

On June 9, 2026, SAP disclosed a batch of twelve security vulnerabilities affecting various components of its enterprise software. The disclosures, all published on the same day, range in severity from low to critical, impacting products such as SAP NetWeaver, ABAP Platform, Business Objects, and S/4HANA.

Several critical vulnerabilities were highlighted in the disclosures. CVE-2026-44748, a critical flaw in SAP NetWeaver Application Server ABAP and ABAP Platform, allows an authenticated attacker to tamper with signed XML documents, potentially leading to unauthorized access to sensitive user data. Another critical vulnerability, CVE-2026-27671, affects the SAP Kernel used by Application Server ABAP and ABAP Platform. This flaw, stemming from improper RFC protocol validation, can lead to memory corruption and significant impacts on confidentiality. Additionally, CVE-2026-40128, a critical vulnerability in SAP NetWeaver Application Server Java (Web Container), enables an unauthenticated attacker to perform path traversal and potentially view or modify sensitive information by manipulating file inclusion parameters in HTTP logon requests.

Other notable vulnerabilities include a high-severity privilege escalation flaw, CVE-2026-44751, in Application Server ABAP, where an authenticated user can overwrite another user's information. Medium-severity issues were also prevalent, such as CVE-2026-44757, a cross-site scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager, and CVE-2026-44746, a reflected XSS vulnerability in SAP NetWeaver JAVA's JDBC Test Servlet. SAP Business Objects Business Intelligence Platform is affected by CVE-2026-44755, an email spoofing vulnerability, and SAP S/4HANA contains CVE-2026-44744, an SQL injection vulnerability.

Further medium-severity issues include privilege escalation in SAP MDG (CVE-2026-44750) and arbitrary service calls in SAP Fiori Launchpad (CVE-2026-24315), which could lead to credential theft. The Operational Data Provisioning Data Replication API (ODP-RFC) has a missing caller identification vulnerability (CVE-2026-44754). A low-severity information leak vulnerability was also disclosed for SAP Business Objects (CVE-2026-44743).

SAP has provided patches and updates to address these vulnerabilities. Customers are strongly advised to consult SAP's security notes and apply the relevant updates to mitigate the risks associated with these disclosures. The comprehensive nature of this batch underscores the importance of regular security patching and diligent review of SAP security advisories.