On 14 July 2026, SAP released 16 new security notes, 1 GitHub security advisory, and 3 updated notes in its July Security Patch Day overview. The month includes 4 critical entries, 6 high-priority notes, 8 medium-priority issues, and 2 low-priority items.
July is notable because the month combines broad exposure across ABAP, Java, SAP BTP, Commerce, SAProuter, Fiori, and supporting Java libraries. Several of the issues are exploitable with no prior access, while others require common enterprise configurations that are often present in production landscapes.
Patch Day Overview
| Priority | Count | Notes / Items |
|---|---|---|
| Critical | 4 | 3747367, 3720138, 3753495, 3727078 (updated) |
| High | 6 | 3758101, 3692165, 3748227, 3741519, 3763800, 3773304 |
| Medium | 8 | 3746678, GHSA-p8gx-753q-v89p, 3537373, 3754659, 3515598, 3713902, 3682699 (updated), 3155685 |
| Low | 2 | 3732522, 3726899 (updated) |
| Total items | 20 | 16 new notes + 1 GitHub advisory + 3 updated notes |
Key Takeaways
- Prioritize the critical ABAP kernel issue, the Approuter request smuggling note, and the Commerce Cloud sample-credential issue first; these are the most likely to produce direct security impact in real environments.
- Do not treat the updated notes as noise. The July overview includes three re-released items that still matter operationally and should be reflected in patch planning and change records.
- The attack surface is distributed: ABAP, Java, BTP, Commerce, SAProuter, UI5, and supporting libraries all appear in the same monthly cycle, so patching needs coordinated platform ownership.
Complete July 2026 Inventory
The table below reflects the full July overview, including the GitHub advisory and the three notes that SAP marked as updates to prior releases.
| Note / Advisory | Title | Priority | Status | CVSS |
|---|---|---|---|---|
| 3747367 | Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP | Critical | New | 9.9 |
| 3720138 | HTTP Request Smuggling in SAP Approuter | Critical | New | 9.1 |
| 3753495 | Insecure Sample Credentials in SAP Commerce Cloud | Critical | New | 9.1 |
| 3727078 | Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) | Critical | Updated | 9.0 |
| 3758101 | Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell) | High | New | 8.8 |
| 3692165 | DLL Hijacking vulnerability in SAProuter on Microsoft Windows | High | New | 8.4 |
| 3748227 | Cross-Site Scripting vulnerability in SAP NetWeaver Application Server Java (Configuration Wizard) | High | New | 8.2 |
| 3741519 | Open Redirect vulnerability in SAP Approuter | High | New | 8.1 |
| 3763800 | Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud | High | New | 8.1 |
| 3773304 | Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach) | High | New | 7.6 |
| 3746678 | Cross Site Scripting vulnerability in SAP NetWeaver Enterprise Portal | Medium | New | 6.1 |
| GHSA-p8gx-753q-v89p | Allowlist bypass in setThemeRoot() enables cross-origin CSS injection | Medium | Advisory | 6.1 |
| 3537373 | SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) | Medium | New | 5.5 |
| 3754659 | Cross-Site Scripting vulnerability in SAP NetWeaver Application Server ABAP (BSP applications) | Medium | New | 4.7 |
| 3515598 | Missing Authorization check in SAP S/4HANA (Draft operation) | Medium | New | 4.3 |
| 3713902 | Missing Authorization check in SAP S/4 HANA (Create Single Payment) | Medium | New | 4.3 |
| 3682699 | Path Traversal Vulnerability in SAP Fiori (launchpad) | Medium | Updated | 4.2 |
| 3155685 | Security misconfiguration in SAP CRM (WebClient UI) | Medium | New | 4.1 |
| 3732522 | Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service) | Low | New | 3.7 |
| 3726899 | Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java | Low | Updated | 3.3 |
Critical & High-Priority Security Notes
The following issues deserve immediate attention because they either allow unauthenticated access, lead to direct code execution, or affect widely deployed SAP platform components.
Security Note 3747367 – Memory Corruption Vulnerability in SAP NetWeaver Application Server ABAP
What Is Affected: ABAP Application Server / SAP Kernel / frontend services tied to SAP GUI for HTML. This sits in a core platform layer that many enterprises expose internally and, in some cases, through remote access paths.
Nature of the Vulnerability: The note describes a memory corruption issue in ABAP processing logic. SAP says an authenticated attacker can trigger logical memory-management errors that may lead to unauthorized data access, modification, or system unavailability.
Attack Scenarios: The practical concern is a crafted request that reaches the vulnerable code path and abuses kernel-level memory handling. Because the issue is authenticated, the likely threat model is an internal attacker or a compromised account rather than a blind internet scan.
Business Impact: This is the highest-risk note in the cycle. A successful exploit can affect confidentiality, integrity, and availability at the platform level and may destabilize a core ABAP system.
Mitigation and Recommendations: Apply the ABAP kernel patch referenced by SAP. If patching must be delayed, SAP documents a temporary SICF-based workaround, but it disables SAP GUI for HTML nodes and should be treated only as a stopgap.
Security Note 3720138 – HTTP Request Smuggling in SAP Approuter
What Is Affected: SAP Approuter in BTP / XSA-style deployments, especially non-Cloud Foundry environments. This component is commonly reachable in application delivery paths and sits close to user-facing traffic.
Nature of the Vulnerability: A request-smuggling flaw can desynchronize request and response handling. In practice that means an attacker can interfere with how downstream systems interpret traffic, which can expose responses or make the service unstable.
Attack Scenarios: The realistic path is a crafted HTTP request that reaches an Approuter deployment in a susceptible configuration. The attacker does not need prior credentials, but the exposure is configuration dependent and strongest in non-CF environments.
Business Impact: Because Approuter is often fronting business applications and login flows, the issue can become an availability and data exposure problem at the same time.
Mitigation and Recommendations: Upgrade to @sap/approuter 20.10.0 or later and follow SAP’s configuration guidance for non-Cloud Foundry deployments. Where possible, reduce public exposure and verify reverse-proxy behavior.
Security Note 3753495 – Insecure Sample Credentials in SAP Commerce Cloud
What Is Affected: SAP Commerce Cloud OCC / OAuth client configuration in HY_COM and COM_CLOUD landscapes. This is common in customer-facing commerce environments and can sit directly on internet-facing application paths.
Nature of the Vulnerability: The issue is not a classic code defect but an exposure of sample OAuth2 client credentials that should never remain in production. If customers executed the sample setup and retained the original secret, the values can be abused as real credentials.
Attack Scenarios: An unauthenticated attacker who knows or guesses the default sample client can obtain an access token and call APIs as if they were trusted. That turns a documentation artifact into a real production access issue.
Business Impact: This can lead to unauthorized data read and modification in Commerce Cloud, which is especially serious because storefront and commerce APIs often carry customer and order data.
Mitigation and Recommendations: Audit production for the trusted_client OAuth2 client and remove or rotate any instance that still uses the documented secret. Replace sample values with unique secrets and verify no production system retained the example configuration.
Security Note 3727078 – Directory Traversal Vulnerability in SAP NetWeaver Application Server Java, Web Container
What Is Affected: NetWeaver Java Web Container / ENGINEAPI 7.50. This remains a common Java platform component in enterprise landscapes and is often trusted internally.
Nature of the Vulnerability: The update re-releases the June note with extended support-package coverage. The underlying issue is insufficient path validation that allows traversal outside the intended context.
Attack Scenarios: An unauthenticated attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters. The resulting file processing can expose, alter, or disrupt local resources.
Business Impact: This is a direct platform security issue: path traversal in a Java web container can expose sensitive information and create instability in services that are assumed to be trusted.
Mitigation and Recommendations: Apply the revised support packages. This note has no workaround, so organizations that depend on affected Java versions should prioritize it rather than waiting for a maintenance window.
Security Note 3758101 – Multiple Vulnerabilities in Apache Camel within SAP Integration Suite, Edge Integration Cell (CVSS 8.8, High)
What Is Affected: SAP Integration Suite Edge Integration Cell, especially message-handling paths that use Apache Camel. This is a high-value integration component because it frequently sits between business systems and external endpoints.
Nature of the Vulnerability: The note covers multiple Apache Camel issues, including unsafe deserialization and header-injection weaknesses. These can turn ordinary message processing into code execution or arbitrary file-write risk in downstream components.
Attack Scenarios: The attacker typically needs message-broker access or another path into the integration flow. Once present, crafted messages can exploit deserialization or header handling and then pivot into RCE-style impact.
Business Impact: Integration cells often carry business-critical data flows. A compromise here can affect multiple connected systems at once, which makes the blast radius wider than a single application.
Mitigation and Recommendations: Upgrade to SAP Integration Suite Edge Integration Cell 8.43.11 or later. SAP also recommends strict broker access control and, where feasible, avoiding risky adapter combinations such as AMQP sender where exposure cannot be controlled tightly.
Security Note 3692165 – DLL Hijacking Vulnerability in SAProuter on Microsoft Windows
What Is Affected: SAProuter on Microsoft Windows. SAProuter is often deployed as a boundary component, which makes any local-code-execution flaw operationally important even when the attack requires local conditions.
Nature of the Vulnerability: The issue allows DLL loading from an untrusted location when the installation folder is not properly write-protected. That opens the door to arbitrary code execution in the SAProuter process context.
Attack Scenarios: The attack is practical when an attacker can place a malicious DLL into the SAProuter installation directory or another writable path used by the process. This is a local attack vector, but it is still serious because SAProuter is a control point.
Business Impact: A compromised router component can become a pivot point for broader SAP connectivity abuse, especially if the instance is used to mediate access to productive landscapes.
Mitigation and Recommendations: Install the corrected SAProuter archive or kernel-delivered patch and enforce strict write protection on the SAProuter installation and work directories. SAP explicitly notes that the code fix is not a substitute for proper file-system permissions.
Security Note 3748227 – Cross-Site Scripting in SAP NetWeaver Application Server Java, Configuration Wizard
What Is Affected: NetWeaver Java Configuration Wizard / LM automation runtime. This tool is often used during platform setup and lifecycle operations, which makes it relevant even if it is not customer-facing on a daily basis.
Nature of the Vulnerability: The application does not properly encode URL parameters, allowing reflected XSS through crafted links. The result is browser-side script execution in the victim session.
Attack Scenarios: A victim must click a malicious link. That makes the attack easier to deliver in phishing or internal-admin scenarios than in a pure drive-by setting.
Business Impact: Although XSS is less severe than kernel-level flaws, it can still expose session data or enable unauthorized actions in administrative workflows, especially in privileged tooling.
Mitigation and Recommendations: Patch to the corrected SAP Note version. SAP also advises disabling application aliases when they are not required, and re-enabling them only for specific lifecycle procedures.
Security Note 3741519 – Open Redirect Vulnerability in SAP Approuter
What Is Affected: SAP Approuter in SAP BTP environments, particularly login callbacks that rely on X-Forwarded-Host and broad redirect-URI configuration.
Nature of the Vulnerability: The issue arises when Approuter and XSUAA configuration do not properly constrain redirect targets. That can turn a login flow into a redirect abuse channel that supports phishing or credential theft.
Attack Scenarios: A victim follows a crafted link that appears to be part of a trusted authentication flow. If the deployment uses broad wildcard redirect URIs, the attack becomes significantly more realistic.
Business Impact: The direct effect is credential and session risk. In BTP landscapes, that can become an entry point to higher-value integrations and services if authentication is abused.
Mitigation and Recommendations: Upgrade to SAP Approuter 21.2.0 or later and set CHECK_X_FORWARDED_HOST_IN_LOGIN_CALLBACK=true. Narrow redirect URIs to application-scoped hostnames rather than landscape-wide wildcards.
Security Note 3763800 – Multiple Vulnerabilities in Apache Tomcat within SAP Commerce Cloud
What Is Affected: SAP Commerce Cloud and SAP Data Hub deployments that use the affected Tomcat versions. Commerce platforms are commonly internet-facing or partner-facing, so configuration-dependent flaws can still matter significantly.
Nature of the Vulnerability: The note bundles Tomcat issues around Digest authentication, HTTP/2 header validation, and overlapping authorization constraints. SAP notes that the default out-of-the-box configuration is not exposed, but custom deployments may be.
Attack Scenarios: Where custom Digest auth, HTTP/2, or overlapping security-constraint settings exist, a remote attacker may bypass protections or impact availability. This is especially relevant in tailored Commerce architectures.
Business Impact: Commerce systems are typically business-critical and public-facing. Even configuration-specific vulnerabilities can have high operational and reputational impact when they affect storefront or API flows.
Mitigation and Recommendations: Patch to the updated Commerce or Data Hub releases and verify whether any non-default Tomcat configuration exists. SAP provides interim hardening steps, but the note should be treated as a patch priority item for custom deployments.
Security Note 3773304 – Remote Code Execution Vulnerability in SAP Change and Transport System Attach Tool, ctsattach
What Is Affected: The standalone ctsattach utility used in CTS+ style workflows. Because this is a transport-related tool, it belongs in the change pipeline rather than the application runtime, but it can still be highly sensitive.
Nature of the Vulnerability: The flaw stems from insecure deserialization in a third-party library. A crafted archive can trigger remote code execution when the tool processes it.
Attack Scenarios: The attacker needs a victim to process the malicious archive. That makes the issue more targeted than a mass-exploitation bug, but the consequence is severe if the tool is still in use.
Business Impact: Control over a transport utility can expose sensitive information and influence the software supply chain itself, which makes the issue relevant for release governance as well as security.
Mitigation and Recommendations: SAP states that ctsattach will no longer be available and instructs customers to stop using it and remove all copies. Immediate removal is the correct response, not a routine patch cycle.
Medium and Lower Priority Notes (Condensed)
Several lower-severity notes still matter because they point to recurring themes: missing authorization checks, reflected XSS, path traversal, and exposed configuration. These issues are less likely to become headline incidents than the critical notes above, but they still deserve inclusion in patch planning and audit tracking.
- 3746678 affects SAP NetWeaver Enterprise Portal and is a reflected XSS issue that can expose user sessions when a victim opens a crafted link.
- GHSA–p8gx-753q-v89p is a GitHub advisory for UI5/webcomponents; the setThemeRoot() allowlist bypass can permit cross-origin CSS injection and should be treated as a client-side trust issue in UI5-heavy landscapes.
- 3537373 is an SQL injection issue in SAP S/4HANA Project Management (PPM-PRO), which keeps database-facing injection risk on the patch-day agenda.
- 3754659 is a reflected XSS issue in SAP NetWeaver Application Server ABAP BSP applications, reminding defenders that classic ABAP web surfaces still need careful input handling.
- 3515598 and 3713902 are authorization flaws in SAP S/4HANA workflows. They do not read like exploitation-by-default issues, but they can still enable privilege escalation in business processes.
- 3682699 was re-released in July with updated solution guidance for SAP Fiori Launchpad. This is a good example of why updated notes should remain visible in monthly change records.
- 3155685 affects SAP CRM WebClient UI and points to missing or insufficient Content Security Policy protections.
- 3732522 is a low-severity information-disclosure note in SAP HANA XSC user self-service, but it still matters if the service is enabled in your environment.
- 3726899 is a re-released Log4j-related note for NetWeaver AS Java. Even though the priority is low, library updates in Java stacks often deserve careful dependency and runtime validation.
Defender’s Perspective: What This Patch Day Tells Us
- SAP customers continue to carry a broad attack surface across ABAP, Java, BTP, Commerce, UI5, and supporting libraries. Patch day is now a platform event, not just an application note review.
- Configuration matters. Several of the July notes are exploitable only when non-default settings are present, which means exposure review is just as important as patch import.
- Transport, routing, and integration tooling are now first-class security concerns. The July cycle includes Approuter, SAProuter, Integration Suite, and ctsattach, all of which sit outside traditional ABAP-only thinking.
Final Recommendations
- Patch the critical ABAP, Approuter, Commerce, and Java notes first, then move to the updated notes and medium-priority issues.
- Validate whether your landscape actually uses the affected features before assuming a note is low priority; several July issues are configuration dependent.
- Treat the GitHub advisory and transport-tool issue as part of your development and supply-chain governance, not just your runtime patch backlog.
- Keep a defense-in-depth view: restrict exposure, review redirects and trust boundaries, enforce file-system permissions, and monitor for suspicious requests or process activity even after patching.
Prepared from SAP Security Patch Day July 2026 materials and the uploaded SAP security notes and advisory.