SAP released 20 Security Notes as part of the April 2026 Patch Day. One is Critical (CVSS 9.0+) and one is High (CVSS 7.0–8.9). The headline issue is SAP Security Note 3719353, a CVSS 9.9 SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse that can let an authenticated user read, modify, and delete database data. Close behind it is Note 3731908, a high-severity authorization flaw that allows an authenticated attacker to overwrite an existing eight-character executable ABAP report and disrupt intended functionality. Several additional 6.5-rated notes target exposed OData services and sensitive HR-related data paths, making this a month where internal trust boundaries matter just as much as internet-facing exposure.
This month is especially important because the top issues span database compromise, application sabotage, and unauthorized business-object manipulation:
- a low-privilege-to-critical SQL injection path in BW/BPC,
- an ABAP report overwrite flaw in ERP and S/4HANA,
- a cluster of S/4HANA OData authorization gaps that can allow unauthorized updates and deletions in maintenance-related data.
Core Takeaways from SAP Patch Day April 2026
BW and BPC teams should treat Note 3719353 as an emergency change. The combination of low privileges, no user interaction, and high impact across confidentiality, integrity, and availability makes it the clearest “patch now” issue this month. SAP’s temporary workaround is also unusually concrete: revoke S_GUI with Activity 60 (Upload) from user accounts until the permanent correction is in place.
ERP and S/4HANA customers should prioritize Note 3731908. Overwriting executable ABAP reports is not just a technical edge case; in practice, it creates a straightforward way to disrupt business processes, disable expected program behavior, and introduce confusion during already sensitive operational windows.
S/4HANA customers running Manage Reference Structures, Manage Reference Equipment, or related technical object services should not dismiss the OData issues as routine medium-severity items. Unauthorized updates and deletions in exposed business services can translate directly into broken maintenance data, process disruption, and audit headaches.
This month also reinforces a familiar reality: many SAP vulnerabilities are no longer about anonymous attackers on the public internet. They are about what happens after a compromised workstation, stolen credentials, an overprivileged user, or a broadly trusted RFC or OData path gives an attacker a foothold inside the landscape.
Critical and High-Priority Security Notes
SAP Security Note 3719353 (CVE-2026-27681) – SQL Injection in SAP Business Planning and Consolidation and SAP Business Warehouse
| Severity | CVSS | Component Scope | Exposure Profile |
|---|---|---|---|
| Critical | 9.9 | HANABPC, BPC4HANA, and SAP_BW releases covered by the note | Authenticated attacker with low privileges; especially relevant in broad internal reporting and planning environments. |
Scope of Usage for SAP Business Planning and Consolidation and SAP Business Warehouse
- Commonality: BW and BPC are common in large SAP landscapes for reporting, planning, and consolidation, especially in finance-heavy enterprises.
- Typical adopters: Global enterprises running management reporting, budgeting, planning, or group consolidation on SAP BW/BPC stacks.
- Internet-facing likelihood: Usually internal rather than public-facing, but often reachable by many internal users, analysts, application servers, or attackers operating from a compromised VPN or endpoint.
What is the Nature of the Vulnerability CVE-2026-27681?
Root issue: insufficient authorization controls on ABAP program upload functionality allowed authenticated end users to execute crafted SQL statements.
What goes wrong in practice: a low-privilege user can move from normal authenticated access to direct database abuse, including reading, modifying, and deleting data. That is why this note carries the highest score of the month and why the impact spans confidentiality, integrity, and availability rather than a single dimension.
Attack Scenarios as a Result of CVE-2026-27681
Plausible path: An attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores.
What an attacker can achieve:
- extract sensitive planning or financial data,
- alter reports, models, or consolidation figures,
- delete or corrupt database content,
- create major disruption in planning and analytics processes.
Business Impact for Organization Impacted with CVE-2026-27681
For many organizations, this is not “just” a technical database flaw. It can become a finance and decision-support problem immediately. Manipulated planning figures, broken reports, or deleted consolidation data can undermine close processes, executive reporting, and operational planning. In the wrong hands, this issue also creates a credible path to both stealthy data theft and overt business disruption.
Pathlock Recommendation on Mitigation
Patch guidance: Apply the correction instructions or support packages referenced in Note 3719353 as soon as possible. SAP’s fix disables the executable code path within the affected ABAP program so end users can no longer invoke it.
If patching is delayed:
- revoke the S_GUI authorization object with Activity 60 (Upload) from user accounts,
- review which users and technical identities still retain upload-related rights,
- monitor for unusual ABAP upload activity, unexpected SQL behavior, or abnormal BW/BPC data changes.
Hardening and monitoring: treat BW/BPC upload pathways as privileged functionality, not routine end-user capability.
SAP Security Note 3731908 (CVE-2026-34256) – Missing Authorization Check in SAP ERP and SAP S/4HANA
| Severity | CVSS | Component Scope | Exposure Profile | Pre-requisities |
|---|---|---|---|---|
| High | 7.1 | HSAP ERP and S/4HANA private cloud/on-premise releases across SAP_FIN, EA-FIN, EA-APPL, and S4CORE components covered by the note | An authenticated attacker with low privileges who can reach the affected auxiliary program path. | Authenticated access with low privileges; no user interaction required |
How widely SAP ERP and SAP S/4HANA is used?
Commonality: very broad. Unlike niche components, ERP and S/4HANA core business systems are central to many SAP landscapes.
Typical adopters: effectively any organization running the affected ERP or S/4HANA releases.
Internet-facing likelihood: typically internal, but risk increases wherever users retain broad access to development-like transactions, support utilities, or legacy execution paths such as SA38 and SE38.
What is the nature of the vulnerability CVE-2026-34256?
Root issue: insufficient authorization and namespace checks in auxiliary programs intended for SAP Support-assisted correction scenarios.
What actually breaks: an authenticated attacker can overwrite any existing eight-character executable ABAP report without proper authorization. Once the overwritten report is run, the original business functionality may become unavailable. That makes this less about classic data theft and more about targeted operational sabotage.
Attack Scenarios as Result of CVE-2026-34256
Prerequisites: authenticated access and the ability to run the affected program path.
Plausible path: an attacker misuses one of the correction utilities, replaces an executable ABAP report, and waits for normal operations to trigger the compromised or broken program.
What an attacker can achieve:
- disable expected business functionality,
- create selective outages in business processes,
- force firefighting and emergency troubleshooting,
- hide malicious intent behind what may initially look like an application defect.
Business Impact of CVE-2026-34256
This is a practical disruption vulnerability. Even when confidentiality impact is absent, the ability to break executable reports in ERP or S/4HANA can interrupt finance, operations, or industry-specific processing in ways that are costly and hard to diagnose quickly. Availability attacks inside business applications are often underestimated until they hit a month-end, plant, or service-critical workflow.
Pathlock Recommendations in Mitigation
Patch guidance: implement the correction instructions or support packages in Note 3731908. SAP’s updated logic allows authorized users to perform the intended corrections without generating code and deactivates the older program path.
If patching is delayed:
- Assign an authorization group to programs RGJVCORG and RGJVCORX as described by SAP,
- restrict SA38/SE38 access and review who can execute support or correction utilities,
- monitor for unusual report changes and investigate unexpected failures in eight-character executable reports.
Hardening and monitoring: support-only utilities should be tightly governed, logged, and periodically reviewed for continued necessity.
SAP Security Notes 3715177, 3716767, and 3715097 – Missing Authorization Checks in S/4HANA OData Services
| Severity | CVSS | Component Scope | Exposure Profile |
|---|---|---|---|
| Medium, but high business relevance | 6.5 | S4CORE 109 and UIS4H 109 for Manage Reference Structures and Manage Reference Equipment | Authenticated attacker with low privileges using exposed OData services. |
How widely S/4HANA OData Services are used?
Commonality: these services matter most in S/4HANA environments using equipment, maintenance, or reference structure management through Fiori and OData-based workflows.
Typical adopters: asset-intensive industries such as manufacturing, utilities, energy, transport, and any enterprise relying on technical object and equipment structures.
Internet-facing likelihood: the services are usually enterprise-facing rather than public, but they are often broadly reachable inside trusted internal networks and through front-end applications.
What is the nature of the vulnerability for SAP Security Notes 3715177, 3716767, and 3715097?
Root issue: missing authorization checks on child-entity operations in exposed OData services.
What goes wrong in practice: authenticated users can update or delete child entities without proper authorization. For Manage Reference Structures, SAP explicitly requires both the backend note 3715177 and the frontend note 3716767 to achieve the complete fix. Manage Reference Equipment is addressed separately in Note 3715097.
Attack Scenarios as a result of 3715177, 3716767, and 3715097
Prerequisites: authenticated access to the affected OData services.
Plausible path: an attacker with limited application rights calls the exposed services directly or through a front-end workflow and performs unauthorized updates or deletions against maintenance-related structures.
What an attacker can achieve:
- alter reference structures or equipment relationships,
- delete child records that downstream processes rely on,
- introduce integrity issues that are difficult to spot immediately,
- create operational disruption without needing classic admin privileges.
Business Impact of Security Notes 3715177, 3716767, and 3715097
Integrity issues in maintenance and technical object data rarely stay small. Once reference structures or equipment-related child entities are altered, the downstream effect can include broken planning logic, poor maintenance decisions, incorrect equipment context, and audit concerns around who changed what and why.
Pathlock Recommendation on Mitigation
Patch guidance: implement Notes 3715177 and 3716767 together for Manage Reference Structures, and patch 3715097 for Manage Reference Equipment. Review any associated technical object services as part of the same remediation cycle.
If patching is delayed:
- reduce the exposure of the affected OData services,
- review low-privilege roles assigned to maintenance and equipment users,
- alert on unexpected update or delete activity in these service paths.
Hardening and monitoring: do not treat authenticated OData traffic as inherently safe. These are business-critical write interfaces and should be protected accordingly.
Medium and Lower Priority Notes (Condensed)
1) Information Disclosure and Authorization Gaps Across HR, Analytics, and Core Business Services
Several April notes reinforce how much damage attackers can do with ordinary authenticated access.
- SAP Security Note 3680767 allows low-privilege users in SAP Human Capital Management for SAP S/4HANA to infer sensitive data because the system returned overly specific authorization-check messages.
- SAP Security Note 3705094 allows unauthorized remote calls in SAP Business Analytics and SAP Content Management, exposing sensitive information.
- Lower-scoring issues in Material Master (3703276), Manage Journal Entries (3530544), and certain S/4HANA file-operation functionality (3703813) continue the same theme: missing checks on business functions, reports, RFC calls, and remote interfaces are still a core SAP security problem.
Practical takeaway: authenticated abuse is not a secondary scenario. Review low-privilege roles, remote-enabled function modules, legacy report execution rights, and technical user entitlements as part of this month’s patch validation.
2) Web-Layer Vulnerabilities Still Matter in NetWeaver, SRM, and Java Stacks
April also includes several web-style issues that are easy to underestimate because many require user interaction. NetWeaver AS ABAP has an open redirect flaw in Note 3692004. Web Dynpro Java has a code injection issue in Note 3719397 that can lead to attacker-controlled content executing in the victim’s browser when the clickjacking service is enabled. SAP Supplier Relationship Management has an unauthenticated XSS vulnerability in its SRM catalog handler, as noted in Note 3645228. SAP UI also received a CSS injection fix in Note 3665042. These are not necessarily drop-everything notes in every landscape, but they become much more serious when exposed apps are reachable by broad user populations or external partners.
Practical takeaway: patch exposed web applications promptly, keep redirect and handler logic constrained, and review browser-facing SAP components with the same rigor you apply to server-side flaws. For Note 3692004, do not miss the required allow-list maintenance for RFID device URLs where applicable.
3) BusinessObjects and HANA Administration Platforms Need Attention Too
BusinessObjects BI Platform appears multiple times this month: Note 3696239 addresses a denial-of-service issue tied to embedded Apache Struts, Note 3702191 fixes insecure session handling that could allow token reuse and session hijacking, and Note 3698216 remediates reflected XSS in crafted URLs. On the HANA side, Note 3730639 addresses exposure of the server’s mTLS private key in HANA Cockpit and Database Explorer under specific runtime-tooling conditions. None of these should be dismissed as secondary systems. Analytics and administration platforms frequently hold high-value data and trusted connectivity.
Practical takeaway: patch analytics and admin tooling on the same cadence as core ERP components, especially where they are integrated broadly, accessible to many users, or trusted by back-end systems.
4) Paired Fixes, Manual Steps, and Operational Follow-Through Matter
This month’s notes are not all one-click remediations. Some require paired implementation across front end and back end, such as Notes 3715177 and 3716767 for Manage Reference Structures. Others include explicit temporary workarounds or manual post-implementation steps, such as Note 3731908’s authorization-group workaround and Note 3692004’s UCON or HTTP_WHITELIST allow-list requirement for RFID URLs. Organizations that only import notes without validating the final effective control state can end up patched on paper while still exposed in practice.
Practical takeaway: treat patching as a change process, not just a note import exercise. Validate prerequisites, manual activities, front-end/back-end dependencies, and post-implementation behavior.
What SAP April 2026 Patch Day Tells Us?
Three trends stand out.
First, authenticated attack paths dominate the month. The most dangerous issue in April is not an anonymous internet exploit; it is a low-privilege authenticated path to SQL injection in BW/BPC. That aligns with how real SAP breaches unfold after phishing, VPN compromise, workstation takeover, or abuse of overprivileged internal accounts.
Second, business APIs and write-capable services remain a major risk concentration point. OData services, report execution paths, remote function modules, and upload-related utilities are recurring failure points because they sit at the intersection of business logic and trust. When authorization checks fail there, the impact is often more operationally damaging than a generic technical flaw.
Third, remediation quality matters as much as note count. This month includes workarounds, paired notes, manual configuration updates, and permission cleanups. Security teams that measure success by notes imported rather than controls now effective are the ones most likely to miss residual exposure.
Final Recommendations from Pathlock
Patch prioritization
Priority 0 (immediate)
3719353 BW/BPC SQL injection. Patch immediately. If needed, remove S_GUI Activity 60 (Upload) from user accounts as SAP’s temporary workaround.
Priority 1
3731908: ERP/S/4HANA ABAP report overwrite. Patch and apply the temporary authorization-group control if rollout is delayed.
3715177 + 3716767: Manage Reference Structures backend/frontend pair. Implement together.
3715097: Manage Reference Equipment OData authorization fix.
Priority 2
3680767 and 3705094, where sensitive HR or analytics data is in scope.
3696239, 3702191, and 3698216 in BusinessObjects landscapes.
3719397, 3692004, and 3645228 in exposed NetWeaver, SRM, or web environments.
Priority 3
3703813, 3703276, 3530544, 3711682, 3665042, and 3723097 based on your specific landscape, exposure, and compensating controls.
Defense-in-depth beyond patching
Reduce exposure: restrict SA38/SE38 access, minimize remote-enabled function module reachability, review OData publication, and keep admin or analytics surfaces off broad network segments where possible.
Harden authorizations: remove unnecessary upload rights, review low-privilege roles that can reach sensitive HR, BW, or maintenance services, and reduce the use of always-on technical users.
Increase detection: monitor for unusual ABAP uploads, unexpected report changes, unauthorized OData update/delete activity, unusual session reuse in BusinessObjects, and suspicious access to HANA administrative secrets or BI multipart endpoints.
Validate the outcome
After implementing the April notes, verify component versions and patch levels, confirm paired notes were applied together where required, execute any manual activities, and run targeted regression testing on BW/BPC uploads, S/4HANA maintenance services, ERP correction utilities, and exposed web application flows. That is the difference between a patch cycle that looks complete and one that actually reduces risk.
