SAP Patch Day May 2026 |SQL Injection, Commerce Cloud RCE and Supply Chain Risk 

Executive Summary

SAP released 16 Security Notes as part of the May 2026 Patch Day. Two are Critical with CVSS scores of 9.6, and one is High with a CVSS score of 8.2. The priority this month is clear: patch the critical SQL injection in SAP S/4HANA Enterprise Search, address the Commerce Cloud configuration upload flaw that can lead to server-side code execution, and investigate the malicious NPM package advisory affecting SAP CAP and MTA Build Tool environments.

This month is especially important because the top issues span three different but equally important areas of SAP security:

• A critical SQL injection in SAP S/4HANA Enterprise Search for ABAP that can expose sensitive database information and potentially crash the application,
• A critical missing authentication check in SAP Commerce Cloud that can allow malicious configuration upload and arbitrary server-side code execution,
• A high-severity OS command injection in SAP Forecasting and Replenishment that can result in full confidentiality, integrity, and availability impact,
• A supply chain advisory for malicious open-source NPM packages used in SAP CAP and MTA Build Tool workflows.

The most important theme this month is that SAP risk is no longer limited to traditional ABAP and Java application servers. May’s patch set reaches into S/4HANA search logic, Commerce Cloud configuration paths, forecasting and replenishment operations, BusinessObjects, SAPUI5, BSP applications, HANA deployment tooling, and developer CI/CD pipelines.

Key Takeaways of SAP Patch Day 2026

If you run SAP S/4HANA Enterprise Search for ABAP, prioritize SAP Security Note 3724838 immediately. This is the most important technical vulnerability of the month. It allows a low-privileged, authenticated attacker to inject malicious SQL code via user-controlled input, potentially exposing sensitive database information and crashing the application. SAP states that there is no workaround, so remediation depends on implementing the referenced correction instructions or support packages.

SAP Commerce Cloud customers should prioritize SAP Security Note 3733064. The issue is caused by improper Spring Security configuration and can allow unauthenticated access to sensitive configuration upload functionality. Successful exploitation can lead to server-side code execution with high impact across confidentiality, integrity, and availability. There is also no workaround for this note, making patching and redeployment the primary response path.

Supply chain risk deserves special attention this month. SAP Security Note 3747787 addresses malicious open-source package versions in the NPM ecosystem, affecting SAP Cloud Application Programming Model and MTA Build Tool dependencies. Even though this note carries a CVSS score of 0.0, the operational risk is significant if affected versions were installed on developer workstations, CI/CD runners, or build systems. The required response includes cache cleanup, system isolation, secret rotation, repository review, and package auditing.

SAP Forecasting and Replenishment customers should prioritize SAP Security Note 3732471. This is a high-severity OS command injection vulnerability that allows an authenticated attacker with administrative privileges to execute arbitrary operating system commands. The impact is severe: read or modify system data, shut down the system, and potentially compromise confidentiality, integrity, and availability.

The remaining notes reinforce a familiar pattern: authenticated access, weak authorization checks, exposed web functionality, and under-governed administrative tools remain practical attack paths in SAP landscapes. These are not always anonymous internet exploits, but they are exactly the kinds of issues attackers use after credential theft, VPN compromise, or abuse of overprivileged technical users.

Critical and High-Priority Security Notes

SAP Security Note 3724838 (CVE-2026-34260) – SQL Injection in SAP S/4HANA Enterprise Search for ABAP

Severity	CVSS	Component scope	Exposure profile
Critical	9.6	SAP S/4HANA / SAP Enterprise Search for ABAP, SAP_BASIS releases 751-816 and 918	Authenticated attacker with low privileges; no user interaction required; no workaround available

How widely is SAP S/4HANA Enterprise Search for ABAP used?

Commonality: SAP Enterprise Search is widely used in S/4HANA environments to provide search capabilities across business objects and application data.

Typical adopters: Organizations running SAP S/4HANA with broad business-user access to enterprise search functions, especially where search is exposed through Fiori launchpad, business roles, or internal application portals.

Internet-facing likelihood: Usually internal, but the practical risk increases when S/4HANA access is available through remote access, VPN, external portals, or broad user populations. Even when not internet-facing, this is highly relevant because only low privileges are required.

Nature of the Vulnerability

Root issue: User-controlled input in SAP S/4HANA Enterprise Search for ABAP is directly concatenated into SQL queries without proper validation or sanitization.

What goes wrong in practice: An authenticated attacker can inject malicious SQL statements through affected input parameters. If successfully exploited, the attacker may gain unauthorized access to sensitive database information and potentially crash the application. SAP rates the impact as high for confidentiality and availability, while integrity is not impacted.

Attack Scenarios

Prerequisites: The attacker needs authenticated access with low privileges. No user interaction is required.

Plausible path: A user with basic application access crafts malicious search input that is processed by Enterprise Search and passed to the underlying database.

What an attacker can achieve:

• access sensitive database information beyond their intended authorization,
• trigger application crashes or instability,
• use search functionality as a database attack path,
• create disruption in business workflows that depend on Enterprise Search.

Business Impact

This is not a theoretical search-box issue. Enterprise Search often sits close to critical business data and is used by large user populations. A SQL injection at this layer can expose information across business objects and can also disrupt user productivity if the application becomes unstable or unavailable.

For organizations using S/4HANA broadly across finance, procurement, supply chain, or HR-adjacent processes, this should be treated as an urgent remediation item. The lack of a workaround increases the importance of fast patch validation and deployment.

Mitigation and Recommendations

Patch guidance: Implement the support packages, patches, or correction instructions referenced in SAP Security Note 3724838. SAP’s fix validates user input before passing it to the database.

If patching is delayed:

• reduce the exposure of Enterprise Search wherever possible,
• restrict access to affected search functionality to business users who require it,
• monitor database errors, dumps, abnormal search behavior, and unusual query patterns,
• review logs for repeated malformed search requests.

Hardening and monitoring: Treat high-volume search interfaces as sensitive input surfaces. They should be monitored like other database-adjacent application functions, especially after an authentication compromise.

SAP Security Note 3733064 (CVE-2026-34263) – Missing Authentication Check in SAP Commerce Cloud Configuration

Severity	CVSS	Component scope	Exposure profile
Critical	9.6	SAP Commerce Cloud / SAP Commerce, HY_COM 2205 and COM_CLOUD 2211 / 2211-JDK21	Unauthenticated attacker; user interaction required; no workaround available.

How widely is SAP Commerce Cloud Configuration used?

Commonality: SAP Commerce Cloud is commonly used by organizations running digital commerce, customer portals, B2B ordering, B2C storefronts, and commerce-integrated backoffice operations.

Typical adopters: Retail, manufacturing, consumer goods, distribution, high-tech, and any enterprise running SAP-backed e-commerce or customer-facing digital commerce platforms.

Internet-facing likelihood: High. Commerce platforms are often exposed to customers, partners, suppliers, and external users. Even if administrative functions are intended to be internal-only, configuration and back-office paths require strict segmentation and access control.

Nature of the Vulnerability

Root issue: Improper Spring Security configuration, including overly permissive security rules and improper rule ordering, allows unauthenticated access to sensitive configuration upload functionality.

What actually breaks: An attacker may perform a malicious configuration upload and trigger code injection. When processed by a legitimate user, this can result in arbitrary server-side code execution. SAP rates the issue as high impact across confidentiality, integrity, and availability.

Attack Scenarios

Prerequisites: The attacker does not require authentication, but exploitation involves user interaction.

Plausible path: An unauthenticated attacker reaches the affected configuration upload functionality, places malicious content, and waits for it to be processed in a way that results in server-side execution.

What an attacker can achieve:

• execute arbitrary server-side code,
• access sensitive commerce data and configuration,
• modify application behavior,
• disrupt storefront or back-office functionality,
• pivot into connected systems or services.

Business Impact

This is one of the highest business-risk items of the month because Commerce Cloud environments are frequently exposed beyond the internal corporate network. A successful exploit could affect storefront availability, customer data, order flows, pricing logic, integrations, and trust in the commerce platform.

For customer-facing commerce systems, the combination of unauthenticated access, server-side execution, and the lack of a workaround makes this a patch-first issue.

Mitigation and Recommendations

Patch guidance: Update to the fixed SAP Commerce Cloud patch releases: 2205.49, 2211.51, or 2211-jdk21.10, depending on your release track. SAP’s fix disables the configuration upload functionality by default, preventing unauthenticated access to the affected endpoint.

If patching is delayed:

• restrict access to Commerce Cloud backoffice and configuration paths,
• review WAF and reverse proxy rules for sensitive upload endpoints,
• monitor for unexpected configuration uploads or changes,
• review application logs for suspicious unauthenticated access attempts.

Hardening and monitoring: Commerce administrative paths should be segmented, monitored, and protected with strong identity controls. Treat any unexpected upload or configuration change as potentially malicious until validated.

SAP Security Note 3732471 (CVE-2026-34259) – OS Command Injection in SAP Forecasting and Replenishment

Severity	CVSS	Component scope	Exposure profile
High	8.2	SAP Forecasting and Replenishment, SCM releases 702, 712, 713, and 714	Authenticated attacker with administrative authorizations; no workaround available.

How Widely AP Forecasting and Replenishment is Used?

Commonality: SAP Forecasting and Replenishment is used in supply chain and retail environments where demand forecasting, stock planning, and replenishment processes are operationally important.

Typical adopters: Retailers, distributors, consumer goods companies, and organizations with complex demand and replenishment requirements.

Internet-facing likelihood: Low by design, but risk increases in environments with broad administrative access, shared operational accounts, or poorly segmented supply chain systems.

Nature of the Vulnerability

Root issue: Operating system commands are executed via function module input parameters, sourced from an upstream component, without sufficient command screening or authorization checks.

What actually breaks: An attacker with administrative authorizations can abuse a non-remote-enabled function to execute arbitrary operating system commands. SAP rates the result as a complete compromise of confidentiality, integrity, and availability.

Attack Scenarios

Prerequisites: The attacker needs authenticated access with administrative authorizations.

Plausible path: A malicious or compromised administrator abuses the affected function path to inject operating system commands.

What an attacker can achieve:

• read system data,
• modify system data,
• shut down the system,
• disrupt forecasting and replenishment processes,
• establish a platform for broader compromise.

Business Impact

The severity here is driven by operational criticality. Forecasting and replenishment systems support inventory availability, planning cycles, and supply continuity. If an attacker can shut down the system or modify its data, the impact can quickly shift from a technical compromise to a supply chain disruption.

Even though high privileges are required, this note should not be dismissed. In real environments, privileged SAP accounts, shared admin credentials, and technical users are frequently targeted after initial compromise.

Mitigation and Recommendations

Patch guidance: Implement the correction instructions or support packages referenced in SAP Security Note 3732471. SAP’s fix adds authorization checks and screens OS commands to mitigate the injection path.

If patching is delayed:

• review who has administrative access in Forecasting and Replenishment systems,
• restrict access to affected functions,
• monitor administrative activity and OS command execution,
• review unusual jobs, scripts, or process launches from SAP application hosts.

Hardening and monitoring: Administrative SAP paths should be treated as high-risk execution surfaces. Monitor not only SAP-level activity but also host-level process behavior.

Special Priority Advisory: SAP Security Note 3747787 – Malicious Open-Source Packages in SAP CAP and MTA Build Tool

Severity	CVSS	Component scope	Exposure profile
Operationally critical where affected packages were installed	0.0	SAP Cloud Application Programming Model, MTA Build Tool, NPM-based developer and CI/CD environments	Operationally critical, where affected packages were installed

Why Security Note 3747787 Note Matters?

This note is different from the others. It is not a classic application vulnerability with a traditional CVSS score. Instead, it addresses malicious NPM package versions that were distributed into the open-source ecosystem and may exfiltrate credentials, propagate into downstream software packages, and modify adjacent repositories when installed.

The affected package versions include:

Package	Compromised Version	Patched Version
@cap-js/sqlite	2.2.2	2.4.0
@cap-js/postgres	2.2.2	2.3.0
@cap-js/db-service	2.10.1	2.11.0
mbt	1.2.48	1.2.49

SAP explicitly recommends scanning for indicators of compromise, cleaning caches, isolating affected systems, rotating secrets, removing injected workflow branches, cleaning IDE configurations, auditing NPM packages, deleting unauthorized repositories, and pinning exact package versions.

Business Impact

The practical impact can be severe. If a malicious package was installed on a developer machine or CI/CD runner, assume that reachable secrets may be compromised. That includes GitHub and NPM tokens, SSH keys, cloud credentials, Kubernetes or Docker secrets, Terraform or Helm secrets, environment variables, and credentials stored or accessible on the affected system.

In other words, this is not only an SAP development issue. It is a software supply chain, identity, cloud, and CI/CD response issue.

Mitigation and Recommendations

If affected versions were installed:

• isolate affected developer machines or CI/CD runners,
• clean CI/CD package caches and internal registry mirrors,
• rotate all reachable secrets,
• review repositories for unauthorized branches, workflows, commits, and suspicious activity,
• remove injected workflow files and malicious IDE configuration changes,
• audit package versions and lockfiles,
• delete unauthorized repositories,
• update to patched versions,
• pin exact versions to reduce the risk of silent upgrades.

If not affected, still confirm that internal caches do not contain malicious versions and update to patched versions using safe install practices.

Medium and Lower Priority Notes

1) ABAP, NetWeaver, and Platform Injection Issues

Several May notes affect ABAP platform and related server-side execution surfaces. These issues generally require authentication or higher privileges, but they are important because they involve administrative paths, ICF services, reports, and communication channels.

SAP Note / CVE	Component	Practical Risk
3730019 / CVE-2026-40135	Authenticated attackers can inject crafted input into the communication channel functionality, impacting subscribed users.	Authenticated administrators can execute crafted shell commands while bypassing logging mechanisms.
3735359 / CVE-2026-40129	SAP Application Server ABAP for SAP NetWeaver and ABAP Platform	Authenticated attackers can inject crafted input into communication channel functionality, impacting subscribed users.
3726962 / CVE-2026-40131	SAP HANA Deployment Infrastructure deploy library	High-privileged users can exploit insecure SQL construction in the @sap/hdi-deploy package.

Note 3730019 deserves particular attention because it combines OS command execution with logging bypass. SAP’s fix disables the affected ABAP report functionality. Note 3735359 also includes a practical workaround: disable the ICF service /sap/bc/apc_test/ping where applicable. Note 3726962 is more constrained because it requires local access and high privileges, but SAP provides a detection query to check whether the vulnerability was exploited.

Practical takeaway: Administrative and test functionality should not remain broadly available in production. Review report execution, ICF services, HANA deployment tooling, and privileged technical access as part of the same remediation cycle.

2) Missing Authorization Checks in Business Applications

May also include several missing authorization check issues in business-facing SAP applications. These are the kinds of vulnerabilities that often look moderate on paper but matter in real environments because they affect business data integrity and process trust.

SAP Note / CVE	Component	Practical Risk
3718083 / CVE-2026-40133	SAP S/4HANA Condition Maintenance	Authenticated users may view or modify condition table records and potentially block legitimate access.
3721959 / CVE-2026-40132	SAP Strategic Enterprise Management / Balanced Scorecard Wizard	Unauthorized users may view information, change default settings, and manipulate value fields that influence risk evaluations.
3718508 / CVE-2026-40134	SAP Incentive and Commission Management	Authenticated users may invoke a remote-enabled function module to perform table update operations.

Condition Maintenance is particularly relevant because pricing, conditions, and commercial master data are sensitive business-control areas. Unauthorized changes may not look like a system compromise at first, but they can directly affect sales, purchasing, revenue, or downstream calculations.

Strategic Enterprise Management and Incentive and Commission Management should also be reviewed carefully. Any application that influences risk evaluations, commissions, or table updates can create audit and compliance problems if authorization enforcement is incomplete.

Practical takeaway: missing authorization checks are not “medium-risk housekeeping.” They are business integrity issues. Validate affected roles, remote-enabled functions, and business-owner approvals after patching.

3) Web-Layer Vulnerabilities: XSS, CSRF, and Content Spoofing

Several May notes target browser-facing SAP applications and UI components. These issues usually require user interaction, but they become more relevant where SAP applications are exposed to large user populations, partners, or external users.

SAP Note / CVE	Component	Practical Risk
3727717 / CVE-2026-40137	BSP application TAF_APPLAUNCHER	Unauthenticated attackers can craft malicious links that redirect users to attacker-controlled content; relevant where the application is active.
3667593 / CVE-2026-0502	SAP BusinessObjects BI Platform	Insufficient CSRF protection can cause authenticated users to send unintended requests.
3728690 / CVE-2026-27682	SAP NetWeaver AS ABAP BSP applications	Reflected XSS through an unprotected URL parameter.
3726583 / CVE-2026-34258	SAPUI5 Search UI	Content spoofing / open redirect via manipulated URL parameters.

For TAF_APPLAUNCHER, SAP notes that the application must be activated for the vulnerability to exist and provides a workaround: deactivate the BSP TAF_APPLAUNCHER application if CBTA is not being used. SAP also states that customers who have not yet applied Note 3688319 should apply that note first, then apply 3727717.

For BusinessObjects BI, the CSRF issue matters because BI platforms often expose sensitive reports, analytics, and administrative workflows. Even low-integrity or availability impacts can become operationally meaningful when many users rely on BI portals.

Practical takeaway: patch exposed web applications promptly, reduce unnecessary BSP and ICF exposure, and make sure browser-facing SAP components are covered by security testing and monitoring.

4) Commerce, Finance, and Session-Related Operational Risk

Two lower-scored notes still deserve attention depending on the landscape.

SAP Note / CVE	Component	Practical Risk
3716450 / CVE-2025-68161	SAP Commerce Cloud / Apache Log4j	Potential improper certificate validation in Apache Log4j Core Socket Appender could allow man-in-the-middle attacks on log connections.
3713521 / CVE-2026-40136	SAP Financial Consolidation	Authenticated attackers can temporarily disconnect other users by terminating sessions.

The Commerce Cloud Log4j note is of lower severity, and SAP states that SAP Commerce Cloud in the Public Cloud standard configuration does not leverage Socket Appender and is therefore not directly affected. However, customers still need to update to the fixed release, rebuild, and redeploy their SAP Commerce Cloud version after patching.

The Financial Consolidation issue is availability-focused. It does not compromise the application itself, but it can interrupt user access by terminating sessions. In finance, close or consolidation windows, as well as even temporary session disruptions, can become a business issue.

Practical takeaway: a low CVSS score does not always indicate low business relevance. Prioritize based on where the component sits in critical business processes.

Defender’s Perspective: What May 26 Patch Day Tells Us?

Three trends stand out.

1. First, SQL injection remains a critical risk even in mature SAP application layers. The Enterprise Search vulnerability demonstrates how a widely used, business-facing feature can become a database-exposure path when input validation fails. This is especially serious because the attacker only needs low privileges and no user interaction.
2. Second, configuration and administrative surfaces are high-value targets. Commerce Cloud configuration upload, ABAP report execution, OS command handling, and Forecasting and Replenishment administrative functions all show the same pattern: features designed for powerful operations become dangerous when authentication, authorization, or input validation fails.
3. Third, SAP security now includes the developer supply chain. The malicious NPM package advisory is a clear reminder that SAP CAP, MTA Build Tool, CI/CD runners, package caches, GitHub workflows, and developer laptops must be part of SAP security operations. A compromised build environment can expose secrets and propagate risk far beyond a single application.

The practical lesson: SAP patching is no longer just a Basis task. It requires coordination across Basis, security, development, DevOps, Commerce Cloud teams, business application owners, and identity teams.

Final Recommendations by Pathlock’s Security Teams

Patch Prioritization

Priority 0 – Immediate

3724838 – SAP S/4HANA Enterprise Search SQL Injection
Patch immediately. There is no workaround. Focus first on production S/4HANA systems with broad user access or exposed search functionality.

3733064 – SAP Commerce Cloud Missing Authentication / Server-Side Code Execution
Patch and redeploy immediately. There is no workaround. Pay special attention to internet-facing Commerce Cloud environments and to any system where back-office or configuration functionality is accessible.

3747787 – Malicious NPM Packages in SAP CAP and MTA Build Tool
Treat as an incident-response item if affected versions were installed. Clean caches, isolate affected systems, rotate secrets, inspect repositories, and update to patched versions.

Priority 1

3732471 – SAP Forecasting and Replenishment OS Command Injection
Patch quickly, especially in retail or supply chain environments where forecasting and replenishment availability is business-critical.

3730019 – SAP NetWeaver AS ABAP / ABAP Platform OS Command Injection
Patch and review privileged report execution. The logging-bypass aspect makes this especially relevant for detection and audit teams.

3718083 – SAP S/4HANA Condition Maintenance Missing Authorization Check
Prioritize where condition records influence pricing, revenue, purchasing, or commercially sensitive processes.

3727717 – TAF_APPLAUNCHER BSP XSS
Patch where CBTA or TAF_APPLAUNCHER is active. Deactivate the BSP application if CBTA is not used.

Priority 2

Address the broader authorization and web-layer cluster:

• 3721959 – Strategic Enterprise Management / Balanced Scorecard Wizard
• 3667593 – BusinessObjects BI CSRF
• 3728690 – NetWeaver AS ABAP BSP reflected XSS
• 3726583 – SAPUI5 Search UI content spoofing
• 3735359 – ABAP communication channel code injection
• 3726962 – HANA HDI deploy library SQL injection

Prioritize based on exposure, business sensitivity, and whether affected services are reachable by broad user populations.

Priority 3

Patch and validate based on landscape relevance:

• 3716450 – SAP Commerce Cloud Apache Log4j certificate validation
• 3713521 – SAP Financial Consolidation denial of service
• 3718508 – SAP Incentive and Commission Management is missing an authorization check

Do not ignore these indefinitely. Lower CVSS issues can still matter during finance-close windows, commerce release cycles, or commission-processing periods.

Defense-in-Depth Beyond Patching

Reduce exposure: keep Commerce Cloud administration, configuration upload paths, ABAP test services, BSP applications, and privileged SAP functions away from broad network access. Disable unused ICF/BSP services such as /sap/bc/apc_test/ping or TAF_APPLAUNCHER where SAP provides that as a valid temporary control.

Harden identities: review administrative accounts, shared technical users, RFC-enabled access, developer tokens, CI/CD credentials, and cloud secrets. For the malicious NPM advisory, assume secrets reachable from infected systems are compromised and rotate them accordingly.

Increase detection: monitor for SQL errors, abnormal Enterprise Search behavior, suspicious Commerce Cloud configuration changes, unexpected OS process launches from SAP hosts, unusual ABAP report execution, suspicious GitHub workflow changes, and unexpected outbound traffic from developer or build systems.

Strengthen development controls: pin exact NPM package versions, clean internal caches, audit lockfiles, monitor CI/CD runners, and require review for workflow-file changes. SAP development supply chain hygiene should now be part of SAP security operations, not a separate DevOps-only concern.

Validate the Outcome

After implementing the May 2026 notes, confirm that the corrections are truly effective:

• verify component versions, support package levels, and Commerce Cloud patch releases,
• confirm that SAP Enterprise Search no longer accepts unsafe SQL input patterns,
• validate that Commerce Cloud configuration upload functionality is disabled or protected as intended,
• test Forecasting and Replenishment workflows after applying the OS command injection fix,
• confirm that affected BSP, ICF, SAPUI5, BusinessObjects, and ABAP Platform services behave correctly after patching,
• scan developer machines, CI/CD runners, internal package caches, and repositories for the malicious package indicators in Note 3747787.

This month’s patch set is a reminder that effective SAP security requires more than importing notes. It requires validating business impact, closing exposed interfaces, monitoring abuse paths, and extending SAP security governance into cloud, commerce, and software supply chain environments.