SAP has released its July 2026 security updates, addressing 16 vulnerabilities across multiple products, including three rated critical. The most severe is CVE-2026-44747, an out-of-bounds write flaw in SAP NetWeaver Application Server ABAP (AS ABAP) that carries a CVSS score of 9.9.
According to SAP, an authenticated attacker can exploit logical errors in memory management to trigger memory corruption, resulting in unauthorized data access, data modification, or system unavailability. SAP describes the issue as having high impact on confidentiality, integrity, and availability of the application. NetWeaver AS ABAP is the core runtime and development platform underpinning many enterprise SAP deployments.
Two Other Critical Flaws
The second critical issue, CVE-2026-27690, is an HTTP Request Smuggling vulnerability in SAP Approuter, a Node.js-based middleware library used for cloud applications deployed on SAP Business Technology Platform (BTP). Unauthenticated attackers can exploit specially crafted HTTP requests to access other users’ responses or cause denial-of-service conditions.
The third, CVE-2026-44761, affects SAP Commerce Cloud, the company’s enterprise e-commerce platform. The flaw stems from the use of default credentials, which could allow attackers to obtain valid access tokens and subsequently read or modify data through certain APIs.
Additional Fixes
Beyond the three critical bugs, SAP’s July advisory also patches six high-severity, seven medium-severity, and one low-severity vulnerability. These cover a range of issue types, including DLL hijacking, open redirect, missing authorization checks, remote code execution, cross-site scripting, path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations.
SAP says it has not found evidence that any of the vulnerabilities patched this month have been exploited in the wild. However, the company’s products remain a frequent target: CISA has added 14 SAP-related flaws to its Known Exploited Vulnerabilities catalog since November 2021, two of which were leveraged by ransomware operators. SAP’s June 2026 patch cycle addressed 15 vulnerabilities, and the company was also recently affected by a supply chain attack in which multiple official SAP npm packages were compromised to steal developer credentials.
Given SAP’s footprint, the company reports serving 99 of the world’s 100 largest companies, organizations running NetWeaver AS ABAP, Approuter, or Commerce Cloud should prioritize applying these patches, particularly the CVE-2026-44747 fix given its near-maximum severity score.
