SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day.
The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution.
“The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains.
According to Pathlock senior product manager Jonathan Stross, the upload functionality could be exploited for direct database abuse, allowing an attacker to read and tamper with data without user interaction.
“In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption,” Stross said.
According to Onapsis, SAP resolved the issue by completely deactivating the executable code.
On Tuesday, SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.
Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure, denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content, or code execution in the victim’s browser.
The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application, and S4CORE.
The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.
SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the security notes as soon as possible.
Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities
Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities
Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
Related: SAP Patches Critical Vulnerabilities With December 2025 Security Updates
