SAP released 15 Security Notes on the June 2026 Patch Day. Four are Critical, and two are High, with the most urgent issues affecting SAP NetWeaver AS ABAP, SAP NetWeaver AS Java, and SAP Commerce Cloud. The current note set includes one unauthenticated RFC kernel memory-corruption issue, one SAML authentication flaw with the potential for full compromise, one Java directory-traversal issue, and two Commerce Cloud vulnerabilities that can expose or weaken customer-facing platforms.
Key Takeaways
- Prioritize the unauthenticated SAP Kernel RFC memory corruption issue (Note 3717897) and the SAML XML Signature Wrapping issue in ABAP (Note 3746332) first.
- Treat the Java directory traversal issue (Note 3727078) as a perimeter exposure problem, especially where Web Container endpoints are reachable outside a trusted network segment.
- Commerce Cloud customers should review the Spring Security and Tomcat notes together, because these issues affect externally reachable commerce services and may require patching plus rebuild/redeploy work.
- Do not stop at patching alone. Review exposed services, trust boundaries, authentication flows, and technical RFC users, because several of the medium-severity notes are exactly the kinds of weaknesses attackers use after initial access.
- The lower-severity notes still matter in mature environments because they include SQL injection, ODP-RFC exposure, Fiori path traversal, and information-disclosure issues in BusinessObjects and Java components.
Critical-Priority Security Notes
The following notes require the closest attention this month. The first four are Critical, followed by two High-priority issues that still deserve immediate remediation planning in internet-facing or broadly reachable environments.
3717897 / CVE-2026-27671: Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform
Priority: Critical
- What Is Affected: SAP Kernel / RFC processing in the Application Server ABAP. The issue affects kernel-level RFC protocol validation and therefore sits deep in the ABAP stack. Where the RFC endpoint is reachable, the exposure is not limited to a single business function.
- Scope of Use: This is common infrastructure code in ABAP landscapes. Every mature SAP estate that uses RFC-based integration should treat the kernel patch level as operationally important, because the vulnerable path is not tied to a niche application add-on.
- Nature of the Vulnerability: An unauthenticated attacker can send a crafted RFC request that triggers logical errors in memory management. The result is memory corruption with the potential for full code execution or crash-level failure. Unlike application-layer bugs, this kind of flaw sits underneath many business controls.
- Attack Scenarios: The most realistic abuse path is direct network exploitation against an exposed or reachable SAP application server. Once an attacker can influence the kernel memory state, the impact can extend beyond a single transaction and can become a platform-level compromise or a hard outage.
- Business Impact: This is one of the most serious notes in the batch because the attack requires no authentication and can simultaneously affect confidentiality, integrity, and availability. A successful exploit can undermine the trustworthiness of the entire ABAP instance and everything connected to it.
- Mitigation and Recommendations: Apply the kernel patch level referenced in the note as soon as possible. There is no workaround. If immediate patching is not possible, reduce network reachability to RFC services, review gateway exposure, and monitor for abnormal RFC traffic and unexpected instability in work processes.
3746332 / CVE-2026-44748: XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform
Priority: Critical
What Is Affected: SAP NetWeaver AS ABAP and ABAP Platform SAML authentication. The vulnerable flow affects signed XML verification in the ABAP web service security stack and can influence identity handling during login.
Scope of Use: This is broadly relevant wherever SAML is used for SAP authentication, especially in enterprise environments with portal access, federated identity, or centralized login paths. In large estates, this is not an edge case; it is a core authentication control.
Nature of the Vulnerability: An authenticated attacker with normal privileges can obtain a valid signed message and then submit modified XML documents that are still accepted by the verifier. The flaw is in the verification logic, not in the signature itself, which makes it especially dangerous for identity trust.
Attack Scenarios: A realistic abuse scenario is account-level access followed by token or assertion manipulation. Once an attacker can influence the SAML acceptance path, they may impersonate identities, access sensitive data, or alter system usage patterns in ways that are difficult to spot from the outside.
Business Impact: This is a high-severity identity trust issue with significant business impact because it can enable unauthorized access to sensitive applications and data. Where SAML underpins employee or partner access, compromise of this control plane can affect multiple connected systems.
Mitigation and Recommendations: Implement the correction instructions or support package for the affected SAP_BASIS and related releases. SAP also notes that disabling SAML authentication is a workaround, but it is only a temporary measure and usually not acceptable in production except as an emergency containment step.
3727078 / CVE-2026-40128: Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
Priority: Critical
What Is Affected: SAP NetWeaver AS Java Web Container. The affected component is part of the application server runtime and can process malicious HTTP logon requests that manipulate file inclusion parameters.
Scope of Use: This matters in Java-heavy SAP estates such as portals, integrations, and older NetWeaver landscapes. Even where Java is not the primary business platform, the Web Container is often internet-facing or exposed to a wide internal audience.
Nature of the Vulnerability: The vulnerability stems from insufficient path validation. An unauthenticated attacker can craft a malicious request that escapes the intended context and forces the application to process an included file outside the safe path.
Attack Scenarios: An attacker needs only network access and a reachable endpoint. Once exploited, the impact can range from the disclosure of sensitive files to the modification of local files or a denial of service if the local system becomes unstable or unusable.
Business Impact: This is a perimeter and trust-boundary issue. The business impact depends on what the Web Container can reach, but in practice, it can expose credentials, configuration data, or application behavior that assists follow-on compromise.
Mitigation and Recommendations: Apply the SAP support package or patch level referenced in the note. There is no workaround. Review whether the Java Web Container is reachable from untrusted networks and reduce exposure wherever possible until the patch is in place.
High-Priority Security Notes
3748262 / CVE-2026-22732: Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub
Priority: High
What Is Affected: SAP Commerce Cloud and SAP Data Hub. The issue affects Spring Security response handling, specifically cases where security headers may not be written in time on certain response paths.
Scope of Use: This is highly relevant to SAP customers running customer-facing commerce services or cloud-enabled commerce processes. The affected products sit directly at the edge of the enterprise, where HTTP behavior matters immediately.
Nature of the Vulnerability: A security misconfiguration/response-handling flaw. Under specific conditions, Spring Security may fail to write important security headers before the response is finalized, weakening browser-side protections and, in some paths, reducing assurance around confidentiality and integrity.
Attack Scenarios: An attacker does not need a deep foothold to benefit from this. If they can influence the request path or exploit the affected endpoint’s behavior, they may weaken header-based browser defenses and create a more permissive attack surface for downstream abuse.
Business Impact: For commerce platforms, security headers are not cosmetic. Missing or inconsistent headers can support session abuse, content injection paths, and weaker client-side protection. The broader business impact is customer trust, transaction integrity, and exposure of a public-facing SAP service.
Mitigation and Recommendations: Patch to the fixed Commerce Cloud or Data Hub release levels referenced in the note and rebuild/redeploy where required. Review the affected endpoint exposure and validate that the deployment pipeline reflects the corrected library and configuration state.
3747484 / CVE-2026-29145 / CVE-2025-66614 / CVE-2026-24734: Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Priority: High
What Is Affected: Apache Tomcat bundled with SAP Commerce Cloud. The issues affect certificate-based authentication and validation mechanisms in the application server layer.
Scope of Use: This is common in Commerce Cloud deployments that rely on Tomcat for externally reachable services. Many enterprise customers use this stack in business-critical customer channels, which makes even configuration-dependent issues operationally relevant.
Nature of the Vulnerability: The vulnerabilities involve certificate authentication bypass and validation weaknesses, including SNI and host header handling as well as OCSP response validation. The common theme is that a trust decision may be made on incomplete or incorrect certificate-state information.
Attack Scenarios: Attackers would need the right deployment conditions, but that is common enough to matter. Where client certificate authentication is used, a bypass or validation flaw can let unauthorized users reach protected services or present revoked material as though it were valid.
Business Impact: This is a high-risk access-control problem for customer-facing commerce services. A failure in client certificate enforcement can undermine authenticated access paths and expose sensitive workflows or data that the business assumes are restricted.
Mitigation and Recommendations: Upgrade to the patched Commerce Cloud release or update release listed in the note and rebuild/redeploy the application. Validate whether your deployment uses the affected certificate-based configurations and treat non-default settings as part of the remediation scope.
3735546 / CVE-2026-44751: Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform
Priority: High
What Is Affected: ABAP application server report generation logic. The affected path allows an authenticated user to trigger a report generation command that can overwrite information belonging to another user.
Scope of Use: This is a broadly relevant ABAP issue because it sits in the application server and affects classic NetWeaver / ABAP Platform landscapes. Any organization that relies on standard ABAP business processes and report handling should review it.
Nature of the Vulnerability: A missing authorization check. An authenticated user can perform an action that should be restricted, leading to unauthorized overwrites and privilege escalation.
Attack Scenarios: The practical attack path is straightforward: a low-privilege user executes a report-generation action that should have required a more specific authorization. This can result in tampering with another user’s data or process output.
Business Impact: The direct business impact is integrity-related. Report data is often used for financial, operational, or compliance decisions, so an overwrite or unauthorized change can have consequences beyond the technical issue itself.
Mitigation and Recommendations: Implement the support package or correction instructions in the note. Because this is a control issue rather than a cosmetic flaw, also review who can execute the affected report-related functionality and whether additional authorization reviews are warranted.
Medium and Lower Priority Notes
The remaining notes are lower in severity but still relevant because they reflect the same patterns attackers use in real incidents: low-privilege access, trust-boundary abuse, web entry points, and misconfigurations that leak information or weaken controls. In many landscapes, these issues become important precisely because they are easier to reach than the top-tier vulnerabilities.
ABAP data exposure and authorization themes
Note 3751691 (SQL injection in SAP S/4HANA CA-EPT-SSC) is an authenticated SQL injection issue in a remote-enabled function module. Its CVSS score is lower than the critical ABAP issues, but it still deserves attention because the confidentiality of database content is directly affected. Note 3748819 (missing caller identification in ODP Data Replication APIs) can expose replication data and should be reviewed wherever ODP-RFC is active. Note 3673181 in SAP MDG is a classic missing-authorization issue in the Review Match Groups application; on its own, it is not a headline item, but in a mature landscape, these control gaps accumulate and expand the effective attack surface.
Java and web-facing exposure
Note 3723655 is a reflected XSS issue in SAP NetWeaver AS Java JDBC Test Servlet. It requires user interaction, but it can still be used to steal session context or manipulate browser-side content. Note 3715280 is a reflected XSS issue in SAP Wily Introscope Enterprise Manager, which is often tied to monitoring and operations workflows. Note 3726899 covers a Log4j TLS hostname verification issue in AS Java. It is not a headline-critical exploit, but it is a useful reminder that logging paths and Java libraries still need routine hygiene. Note 3682699 is a path traversal issue in SAP Fiori Launchpad; because it is user-triggered and depends on the environment, it is lower priority, but it should still be patched promptly in internet-facing Fiori landscapes.
BusinessObjects and platform misconfiguration issues
Note 3706000 is a Business Objects security misconfiguration that can leak sensitive information through a specific endpoint. Note 3687096 is an email spoofing issue in SAP BusinessObjects BI Platform that can undermine trust in operational messaging and approvals. These are not the most severe issues in the batch, but they matter because they affect communication, administration, and platform trust in systems that often sit close to reporting and management functions.
What Does This Patch Day Tell Us?
Three patterns stand out this month. First, identity and trust remain recurring failure points: the ABAP SAML issue, the RFC kernel issue, and the Java directory traversal vulnerability all demonstrate how quickly a control-plane weakness can lead to a platform compromise. Second, SAP Commerce Cloud continues to fall into a special risk category because it is customer-facing by design and often requires additional runtime and deployment steps after patching. Third, the medium-severity notes are not noise. They show how attackers move once they have a foothold: SQL injection, ODP-RFC exposure, XSS, misconfigurations, and missing authorization checks are all practical follow-on paths.
The operational lesson is simple. Patching should be prioritized by exposure as much as by CVSS. Internet-facing Java and commerce components need rapid handling. ABAP kernel and authentication issues need immediate attention, even when they are not visible to end users. And the lower-severity notes should be closed on the same cadence as the rest of the monthly cycle, because they are part of the same defense-in-depth story.
Final Recommendations by Pathlock
- Patch the four Critical notes first: 3717897, 3746332, 3727078, and 3748262. Then follow with the two High notes, 3747484 and 3735546.
- For SAP Commerce Cloud, remember that patching may also require a rebuild and redeploy. Validate the final version in the running environment, not only in the build artifact.
- Review exposed services, SAML flows, RFC reachability, and Java web endpoints before and after patching. Most successful attacks in SAP landscapes still begin with a reachable interface and a trust decision.
- Use the medium and lower-priority notes to drive your backlog, especially where they affect public-facing systems, shared technical users, or administrative endpoints.
- Treat this patch cycle as a reminder that the SAP attack surface extends across ABAP, Java, cloud commerce, and integration middleware. Defense-in-depth remains necessary even after the notes are implemented.
Sources reviewed
SAP Security Notes: 3751691, 3748819, 3748262, 3747484, 3746332, 3735546, 3727078, 3726899, 3723655, 3717897, 3715280, 3706000, 3687096, 3682699, 3673181
