Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical ABAP Vulnerability

The company has released 19 new security notes addressing flaws in over a dozen enterprise products.

SAP

SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day.

The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution.

“The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains.

According to Pathlock senior product manager Jonathan Stross, the upload functionality could be exploited for direct database abuse, allowing an attacker to read and tamper with data without user interaction.

“In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption,” Stross said.

According to Onapsis, SAP resolved the issue by completely deactivating the executable code.

Advertisement. Scroll to continue reading.

On Tuesday, SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.

Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure, denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content, or code execution in the victim’s browser.

The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application, and S4CORE.

The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.

SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the security notes as soon as possible.

Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities

Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities

Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities

Related: SAP Patches Critical Vulnerabilities With December 2025 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.