Security Intelligence
Loading table of contents...
July 14, 2026 | Security intelligence
At a glance: SAP released 20 new and updated security notes, including four HotNews advisories addressing critical vulnerabilities in NetWeaver, Approuter, and Commerce Cloud. Several of the issues affect core SAP technologies that support business-critical applications, web services, and customer-facing platforms, with potential impacts ranging from data exposure and modification to service disruption. While there are currently no reports of active exploitation, organizations running affected SAP environments may want to prioritize the July updates, particularly for NetWeaver systems given recent threat actor interest in exposed SAP platforms.
On July 14, 2026, SAP released 20 new and updated security notes as part of its monthly Security Patch Day. The release includes four HotNews notes, SAP's highest severity classification, and six High Priority notes. Among the HotNews notes are three newly disclosed critical vulnerabilities affecting SAP NetWeaver Application Server ABAP, SAP Approuter, and SAP Commerce Cloud. The fourth HotNews note updates guidance for CVE-2026-40128, a critical SAP NetWeaver Application Server Java vulnerability first disclosed in June 2026.
The first HotNews note addresses CVE-2026-44747 - a memory corruption vulnerability in the SAP NetWeaver Application Server ABAP kernel. The issue was assigned a Common Vulnerability Scoring System (CVSS) score of 9.9.
NetWeaver ABAP is a core SAP application platform used by many SAP business applications, including Enterprise Resource Planning (ERP) and SAP S/4HANA systems. An authenticated user with low privileges could exploit the flaw to access or modify data, or cause system unavailability.
SAP noted a temporary workaround that involves disabling specific Internet Communication Framework (ICF) services. ICF is the SAP component that provides HTTP and HTTPS access to web-based SAP applications and services. The workaround does not address the kernel vulnerability directly but limits access to the affected functionality by disabling certain web endpoints. The vendor notes that this approach can affect SAP GUI for HTML because it relies on those ICF services.
SAP also patched CVE-2026-27690 (CVSS 9.1), an HTTP request smuggling vulnerability affecting SAP Approuter versions earlier than 20.10.0. SAP Approuter is a Node.js-based component that manages authentication and routes traffic between users and SAP applications in cloud and hybrid environments. The vulnerability affects deployments running outside Cloud Foundry environments and allows an unauthenticated threat actor to send specially crafted HTTP requests that cause SAP Approuter and backend systems to interpret request boundaries differently. This can interfere with how application traffic is processed and may lead to unintended access to application data or disruption of SAP services, depending on the deployment architecture.
A third critical vulnerability, CVE-2026-44761 (CVSS 9.1), affects SAP Commerce Cloud, SAP's e-commerce platform used for online stores and customer transactions. The issue involves sample credentials that SAP provided in development and testing documentation. Organizations that copied those examples into production and left the credentials unchanged may have exposed access to parts of their Commerce Cloud environment. Under those conditions, a threat actor could use the published credentials to obtain access tokens and interact with certain SAP APIs, allowing data access or modification. Organizations that removed the sample configuration or replaced the credentials with unique values are not affected.
SAP also updated Security Note 3727078 for CVE-2026-40128 (CVSS 9.0), a critical directory traversal vulnerability affecting the SAP NetWeaver Application Server Java Web Container. The vulnerability allows an unauthenticated threat actor to send a specially crafted HTTP logon request that can access files outside the intended location. Successful exploitation could expose sensitive information, modify data, or disrupt SAP services. SAP first released a fix in June 2026 and expanded support for additional packages in the July 2026 update.
The NetWeaver vulnerabilities are likely to receive the most attention because they affect core SAP platforms that support many business-critical applications. One vulnerability affects the ABAP kernel used by many SAP workloads, while the other affects the NetWeaver Java Web Container. There are currently no reports of active exploitation, but NetWeaver was the target of significant threat actor activity in 2025, when adversaries exploited CVE-2025-31324 to compromise exposed SAP systems. The NetWeaver Java vulnerability is particularly noteworthy because it can be exploited without authentication, whereas the ABAP vulnerability requires access to a low-privileged account.
Organizations running SAP NetWeaver ABAP are advised to prioritize the July 14, 2026 kernel updates and consider SAP's temporary ICF-based workaround where patching requires additional planning as it may affect SAP GUI for HTML functionality.
Organizations running NetWeaver Application Server Java can identify affected Web Container versions and apply Security Note 3727078, including the July 2026 update. Since the vulnerability can be exploited through a crafted HTTP request without authentication, internet-facing NetWeaver Java systems warrant particular attention. Reviewing web access logs and reducing unnecessary external exposure can help reduce risk while updates are being deployed.
The SAP Approuter vulnerability affects a component that commonly sits in front of SAP applications and handles user traffic. While HTTP request smuggling vulnerabilities have a long history in enterprise applications, successful exploitation often depends on deployment-specific conditions. In this case, the vulnerability only affects deployments running outside Cloud Foundry environments. Organizations using SAP Approuter can identify affected deployments and update vulnerable packages to supported releases.
The Commerce Cloud vulnerability presents a different risk profile: exploitation depends on a sample OAuth configuration being carried from development or testing into production with published credentials left unchanged. Organizations running SAP Commerce Cloud can review production OAuth clients for sample configurations, replace any published credentials that remain in use, and remove development artifacts that were mistakenly retained in production environments.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.

