SAP Patch Day February 2026 | Action Required for CVEs

SAP’s February 2026 Patch Day (10 February 2026) includes 26 SAP Security Notes. Of these, 2 are Critical (CVSS 9.0+) and 6 are High (CVSS 7.0–8.9).

This month stands out for two reasons:

1. A critical code injection path in SAP CRM / S/4HANA’s legacy Scripting Editor that can lead to full database compromise, and
2. A critical kernel-level authorization enforcement gap impacting RFC execution paths. Combined with unauthenticated denial-of-service conditions in SAP BusinessObjects BI Platform and a high-impact XML signature wrapping issue in NetWeaver AS ABAP, this is a Patch Day where exposure and trust boundaries, not just CVSS, should drive your prioritization.

Key Takeaways

• Patch immediately if you run SAP CRM WebClient / Scripting Editor or rely on RFC heavily. The month’s top issues target the “trusted plumbing” of SAP landscapes: RFC execution and web-facing CRM tooling.
• BusinessObjects BI Platform customers should treat this month as availability-critical. Two separate unauthenticated DoS paths can repeatedly crash core services if reachable from untrusted networks.
• Identity and signed XML handling remains a high-risk area. The XML Signature Wrapping issue is particularly relevant in environments using SAML and ABAP web services security.
• Most realistic attacker paths this month involve either:
  • Compromised low-privileged accounts abusing insufficient authorization enforcement, or
  • Direct network abuse of exposed BI endpoints that were implicitly trusted internally.
• Most at risk: organizations with internet-facing BI Launchpad/web tiers, CRM WebClient deployments, or broad RFC reachability across segmented networks (including partner/VPN-accessible internal users).

Critical and High-Priority Security Notes

3697099 (CVE-2026-0488) – Code Injection in SAP CRM / SAP S/4HANA (Scripting Editor)

Severity	CVSS	Components	Technology	Exposure
Critical	9.9	CRM Interaction Center WebClient Framework (Scripting Editor)	ABAP-based CRM WebClient (BSP/ICF service)	Commonly reachable via HTTP(S) wherever the CRM WebClient UI is published. Often internal, but not rarely reachable from broader enterprise networks (VDI, call center networks, partner access).

How widely is SAP CRM and S/4HANA used?

• Still present in many large, established SAP CRM landscapes, especially where Interaction Center WebClient remains part of customer service operations.
• In S/4HANA contexts, the issue is relevant where the legacy Scripting Editor is still enabled.
• Typical users: call center agents, supervisors, CRM support staff, meaning high user volume and a realistic risk of credential compromise.

Nature of Vulnerability

• The underlying flaw is a generic function module invocation path that can be abused to execute unauthorized critical functionality.
• Practically: the application logic allows a low-privileged authenticated user to drive execution into functions that should be restrictedup to and including arbitrary SQL execution, because the system does not sufficiently constrain what can be called.

Attack Scenarios

• Prerequisites: Valid credentials (even low privilege). Network access to the CRM WebClient/Scripting Editor endpoints.
• A realistic chain looks like:
  1. Attacker compromises a standard CRM user (phishing, password reuse, endpoint compromise).
  2. Attacker accesses the Scripting Editor-related functionality and leverages the generic call flaw.
  3. Attacker executes unauthorized database-level actions (SQL), resulting in broad control.
• What an attacker can achieve: database compromise, data theft/modification, and operational disruption by manipulating CRM/S/4 data at the persistence layer.

Business Impact

• This is not a “single transaction” issue. It can become a platform compromise.
• High-likelihood outcomes include:
  • Exposure of customer PII and interaction records,
  • Manipulation of customer cases, service entitlements, pricing, or workflow routing,
  • Potential systemic downtime if database integrity is affected.
• From a business standpoint, this is breach + integrity + service continuity risk, not just an application bug.

Mitigation and Recommendations

• Primary: Apply SAP’s correction instructions/support packages for Note 3697099.
• If patching is delayed (immediate defensive action):
  • Disable the SICF service for the legacy Scripting Editor (/sap/bc/bsp/sap/CRM_IC_ISE) if your business can tolerate the loss of that legacy function.
• Hardening/monitoring:
  • Review who can access CRM WebClient scripting-related functionality; reduce to a minimal admin set.
  • Monitor for unusual function module execution patterns from CRM user contexts, especially spikes or calls atypical for agent roles.
  • Revalidate privileged roles in CRM support teams—this vulnerability becomes catastrophic when paired with overly broad authorizations.

3674774 (CVE-2026-0509) – Missing Authorization Enforcement for RFC Execution Paths (AS ABAP / ABAP Platform)

Severity	CVSS	Components	Technology	Exposure
Critical	9.6	RFC (including background RFC), with impact across NetWeaver AS ABAP / ABAP Platform	ABAP kernel / RFC runtime behavior (kernel-level correction)	Typically internally reachable, but RFC is one of the most widely reachable protocols across SAP landscapes (application-to-application trust, middleware, administrative tooling, and sometimes cross-zone connectivity).

How widely is RFC used?

• Near-universal in enterprise SAP environments: RFC is foundational for integrations, background processing, and cross-system communication.
• Particularly relevant in environments with:
  • Extensive RFC destinations between ECC/S/4, BW, CRM, PI/PO, SolMan, and custom middleware.
  • Large operational teams using RFC-enabled tooling and batch automation.

Nature of the Vulnerability

• The issue is an authorization enforcement gap where S_RFC checks are not consistently applied in certain execution scenarios.
• The result: an authenticated low-privileged user can trigger background RFC execution without having the intended authorization, effectively bypassing a core access control boundary.

Attack Scenarios

• Prerequisites: A valid low-privileged user and network reachability to RFC-related paths.
• Plausible real-world paths:
  • An attacker with a foothold on a user account leverages RFC mechanisms to execute remote-enabled functionality that should be blocked by S_RFC.
  • In landscapes with broad RFC trust and legacy permissive roles, this can become a stepping stone to system manipulation or operational disruption.
• What an attacker can achieve: unauthorized execution of RFC operations, data/process manipulation through RFC-enabled functions, and potentially service disruption through high-impact RFC operations.

Business Impact

• The risk is not isolated to one application area. RFC is a control plane for SAP operations.
• Impact typically manifests as:
  • Unauthorized process changes (integrity),
  • Availability disruption through abusive RFC execution,
  • Increased blast radius because RFC links systems and trust relationships.

Mitigation and Recommendations

• Primary: Implement SAP’s kernel/support package guidance for Note 3674774.
• Key implementation considerations (Basis-relevant):
  • SAP indicates the fix requires a kernel update and setting rfc/authCheckInPlayback = 2 to enforce checks properly in the relevant scenarios.
  • Be aware of regression handling called out by SAP for specific kernel releases; treat this as a change that requires a controlled rollout, not deferral.
• If patching is delayed:
  • There is no functional workaround in the notes that focus on exposure control:
    • Tighten RFC network access (ACLs, segmentation).
    • Review high-risk RFC destinations, trusted RFC configurations, and permissive S_RFC assignments.
• Hardening/monitoring:
  • If you use UCON, verify that your communication assemblies and allowlists continue to reflect the intended behavior after applying the fix (authorization-enforcement changes can reveal previously hidden overuse of RFC).
  • Monitor for unusual bgRFC/qRFC execution patterns, especially originating from user contexts that normally do not initiate RFC-heavy operations.

3697567 (CVE-2026-23687) – XML Signature Wrapping in NetWeaver AS ABAP / ABAP Platform

Severity	CVSS	Components	Technology	Exposure
High	8.8	Web Services Security for ABAP (signed XML verification)	ABAP (WS-Security / signed XML processing), with relevance to SAML-based authentication scenarios	Often internally reachable, but becomes high risk when ABAP web services and SAML flows are exposed through gateways, proxies, or external identity providers.

How widely is XML Verification used?

• Signed XML verification sits under several commonly deployed patterns:
  • SAML assertions and federated authentication in enterprise SSO,
  • ABAP web services using WS-Security,
  • Integrations that rely on signed payloads for trust.
• Large enterprises with centralized IAM and multiple SAP entry points are the most likely to encounter these message types.

Nature of Vulnerability

• XML Signature Wrapping is a class of bugs where the signature verification logic validates one XML element, while the application consumes a different, attacker-controlled element in the same document.
• In practical terms: a valid signed message can be repackaged so the signature still verifies, but the identity or authorization-bearing parts processed by the application are modified.

Attack Scenarios

• Prerequisites: Authenticated user and the ability to obtain a legitimate signed message (e.g., from a normal SAML login or service call).
• A realistic exploitation pattern:
  1. Attacker captures a valid signed XML message.
  2. Attacker modifies identity-bearing fields and wraps/reorders XML elements to confuse the verifier.
  3. The system accepts the message as valid, but processes attacker-controlled identity attributes.
• What an attacker can achieve: impersonation-like outcomes, unauthorized access to sensitive user data, and disruption of normal usage if identity assertions are abused.

Business Impact

• This is fundamentally a trust model break. When signed identity data can be tampered with, you risk:
  • Unauthorized access to business data and workflows,
  • Compliance exposure (identity assurance, access controls),
  • Incident response complexity (actions appear as “valid SSO”).

Mitigation and Recommendations

• Primary: Apply SAP’s support packages/patches for Note 3697567.
• If patching is delayed:
  • SAP’s workaround guidance effectively boils down to: disable SAML authentication (where applicable). That’s disruptive, but it reflects the reality that there is no safe partial mitigation for general use of signed XML.
• Hardening/monitoring:
  • Ensure end-to-end TLS for all identity and service flows; do not rely on “internal network trust.”
  • Increase monitoring around SAML assertions / signed XML verification errors and anomalies (unexpected issuer/audience patterns, unusual user sessions, repeated failed verifications).

3703092 (CVE-2026-23689) – Denial of Service in SAP Supply Chain Management (APO Collaborative Planning)

Severity	CVSS	Components	Technology	Exposure
High	7.7	SCM APO Collaborative Planning	ABAP; exploitation occurs through remote-enabled function module invocation	Typically, internal (RFC). Risk increases in environments where business users or integration users have broad RFC access

How widely is APO used?

• APO usage varies, but where it exists, it is commonly in manufacturing, logistics, and large-scale supply chain operations.
• The criticality is less about the install base and more about business reliance: APO downtime tends to have immediate operational costs.

Nature of Vulnerability

• This is a classic uncontrolled resource consumption flaw.
• A loop-control parameter can be provided at an excessively large value, causing prolonged execution and consuming work processes / CPU, effectively turning a single RFC-enabled function into a DoS primitive.

Attack Scenarios

• Prerequisites: Authenticated user with network access and the ability to call the RFC-enabled function (directly or indirectly).
• Likely real-world scenario:
  • A compromised business user or integration credential repeatedly triggers the function with malicious parameters.
  • The system becomes saturated, leading to timeouts, queue backlogs, and unavailability.

Business Impact

• Primary impact is availability:
  • Planning runs are delayed or failing,
  • Downstream execution (procurement, production scheduling) was impacted,
  • Operational teams are forced into manual workarounds and re-planning.
• Even without data theft or modification, a sustained DoS on planning systems can become a material business event.

Mitigation and Recommendations

• Primary: Apply SAP’s correction for Note 3703092 (input validation enforcement).
• If patching is delayed:
  • Review and tighten RFC authorizations for the relevant function(s) where possible.
  • Monitor for abnormal call frequency and unusually large parameter values (where logging enables visibility).
• Hardening/monitoring:
  • Ensure integration users are segregated, least-privileged, and monitored.
  • Consider rate limiting or network controls around RFC access paths if APO is reachable from broad network zones.

3654236 (CVE-2026-0490) – Unauthenticated DoS Against SAP BusinessObjects BI Platform (Trusted Endpoint Authentication Break)

Severity	CVSS	Components	Technology	Exposure
High	7.5	SAP BusinessObjects BI Platform web application tier interacting with a “trusted endpoint.”	BusinessObjects BI Platform	Often web-reachable; many organizations expose BI Launchpad to broad user populations, sometimes through DMZ or reverse proxies.

How widely is BusinessObjects used?

• BusinessObjects remains common in enterprises for:
  • Finance and operational reporting,
  • Regulated reporting workflows,
  • Large global deployments where the BI Platform is a shared service.
• Even when not internet-facing, it is frequently reachable from large internal user populations—raising the likelihood of abuse.

Nature of the Vulnerability

• A specifically crafted request can be sent to a trusted endpoint in a way that breaks authentication handling, locking out legitimate users.
• The trust boundary problem: the web tier did not sufficiently verify that requests were coming from legitimate backend systems.

Attack Scenarios

• Prerequisites: None (unauthenticated). Only network reachability to the vulnerable endpoint.
• Likely exploitation:
  • Attacker sends crafted requests repeatedly.
  • Legitimate users lose the ability to authenticate or use the platform.
• What an attacker can achieve: sustained service disruption without credentials.

Business Impact

• BI Platform outages typically hit at the worst times (month-end close, operational reporting windows).
• This is a direct availability and business continuity issue, and it can cascade into compliance reporting delays if BI is used for regulated outputs.

Mitigation and Recommendations

• Primary: Patch per Note 3654236, and implement the post-patch configuration to secure the trusted endpoint.
• If patching is delayed (immediate defensive action):
  • Enforce strict network separation between external user access to the web tier and internal web-to-backend communication.
  • Block external access to the trusted endpoint URL(s) at the reverse proxy/firewall.
• Hardening/monitoring:
  • Treat internal “trusted endpoints” as high-value interfaces: require mutual authentication (mTLS) and restrict them to backend-only network zones.
  • Monitor for repeated failed authentication sequences or sudden spikes in requests to backend trust endpoints.

3678282 (CVE-2026-0485) – Unauthenticated DoS via CMS Crash/Restart Loop in SAP BusinessObjects BI Platform

Severity	CVS	Components	Technology	Exposure
High	7.5	BusinessObjects Content Management Server (CMS)	BusinessObjects BI Platform communication layer / inter-process data exchange	Network reachable wherever CMS communication paths are accessible; risk spikes when BI internal ports are exposed beyond intended segments.

How widely is CMS used?

• CMS is the operational core of BusinessObjects (security, scheduling, metadata).
• If CMS becomes unstable, the entire platform becomes unstable—so this matters to almost every BusinessObjects deployment.

Nature of Vulnerability

• The CMS did not properly enforce input size constraints. Specially crafted requests can trigger crashes and automatic restarts.
• Repeating the request turns a single crash into a persistent unavailability loop.

Attack Scenarios

• Prerequisites: None (unauthenticated), only reachability.
• Realistic exploitation is straightforward:
  • Attacker repeatedly submits oversized or malformed requests.
  • CMS crashes and restarts continuously until mitigations or network blocks are applied.

Business Impact

• The impact is a sustained outage of reporting, scheduling, and BI administration.
• The operational cost is high because repeated crashes can also create:
  • Backlogs,
  • Incomplete job executions,
  • Administrative recovery effort and downtime coordination.

Mitigation and Recommendations

• Primary: Apply Note 3678282 support packages/patches.
• If patching is delayed:
  • Restrict and encrypt backend communications (SAP points to securing backend server communication; practically, focus on preventing untrusted networks from reaching these interfaces).
• Hardening/monitoring:
  • Validate internal port exposure. CMS should not be reachable from broad user networks.
  • Monitor for crash/restart patterns and automate alerting; persistent restarts should be treated as potential active exploitation, not just “instability.”

3692405 (CVE-2025-12383) – SSL Trust Validation Bypass Risk in SAP Commerce Cloud (Eclipse Jersey Race Condition)

Severity	CVSS	Components	Technology	Exposure
High	7.4	SAP Commerce Cloud platform, specifically outbound connections using Eclipse Jersey	Java / Commerce Cloud	Not an “internet-facing endpoint” bug by itself – risk emerges when the application makes outbound calls (integrations, APIs, downstream services).

How widely is Commerce Clous is used?

• Commerce Cloud is widely used in retail, consumer goods, and B2B commerce, often with heavy integration to payment, logistics, tax, and personalization services.
• The note explicitly indicates the default SAP Commerce Cloud configuration is not affected; this becomes relevant when customers have custom extensions/integrations using Jersey with custom trust handling.

Nature of Vulnerability

• A concurrency flaw in the Jersey SSL trust handling can lead to a narrow window where trust validation is bypassed during parallel request processing.
• In practice, this can weaken outbound TLS guarantees—particularly in systems that override default trust configuration.

Attack Scenarios

• Prerequisites: Timing/concurrency conditions and a path to influence outbound connection behavior (typically through application traffic patterns or integration flows).
• Most realistic scenarios involve:
  • High traffic is causing concurrent outbound connection creation,
  • A misconfigured/custom trust setup,
  • An attacker leveraging the weakened trust validation to enable a man-in-the-middle or connection to an untrusted endpoint.

Business Impact

• If exploitable in a given environment, the business risk is data integrity and confidentiality through compromised integration channels:
  • Leakage of customer/order data,
  • Tampering with responses from downstream services,
  • Fraud enablement if integrations drive pricing, availability, or checkout decisions.

Mitigation and Recommendations

• Primary: Update to fixed Commerce Cloud versions as specified in Note 3692405 (Jersey upgrade).
• If patching is delayed:
  • Audit custom outbound HTTP clients and truststore modifications—especially any “temporary” certificate validation exceptions.
  • Constrain outbound connectivity (egress allowlists) so the platform cannot establish outbound TLS to arbitrary destinations.
• Hardening/monitoring:
  • Monitor outbound connection failures/success patterns and certificate anomalies.
  • Treat outbound TLS trust customization as a production security-critical configuration, not just integration plumbing.

3674246 (CVE-2026-0508) – Open Redirect in SAP BusinessObjects BI Platform

Severity	CVSS	Components	Technology	Exposure
High	7.3	SAP BusinessObjects BI Platform link handling / URL sharing	BusinessObjects BI Platform	User-facing through the BI platform UI, where links can be created/shared.

How widely is SAP BusinessObjects BI Platform used?

• Link sharing is common in BI workflows (reports shared between teams, scheduled outputs, bookmarks).
• The most relevant environments are those with large BI user populations and complex role models.

Nature of Vulnerability

• The platform allowed attacker-controlled URLs to be embedded and shared without robust server-side validation.
• That enables unvalidated redirects to attacker-controlled destinations.

Attack Scenarios

• Prerequisites: Authenticated attacker with high privileges, plus user interaction (a victim must click).
• Realistic scenario:
  • A compromised BI admin account crafts a link inside BI that looks legitimate.
  • Users click it and are redirected to a malicious domain for credential theft or malware download.

Business Impact

• This is primarily a phishing/malware enablement risk inside trusted BI workflows.
• The business impact depends on:
  • Whether BI is used as a broadly trusted portal,
  • How many users consume BI links routinely,
  • Existing endpoint protections and user awareness.

Mitigation and Recommendations

• Primary: Patch per Note 3674246 (server-side whitelisting for redirects).
• If patching is delayed:
  • Restrict which roles can create/share external links where possible.
  • Increase monitoring for unusual link patterns created by privileged accounts.
• Hardening/monitoring:
  • Treat BI admin accounts as high-risk identities; enforce MFA where possible and monitor for anomalous behavior.
  • Combine with security awareness, specifically around BI links used in operational workflows.

Medium and Lower Priority Notes

SAP’s remaining notes cluster around predictable but important enterprise SAP themes. The common thread is not exotic exploitation; it’s small trust failures in frequently used surfaces.

Authorization Checks and Privilege Boundaries (ABAP-heavy)

Several notes address missing or flawed authorization checks across ABAP components and business functions, including Fiori apps, workflow, support tooling, and legacy BSP applications. Practical risk here is usually driven by:

• Overly broad roles,
• Shared admin accounts,
• Compromised standard users in environments with weak segregation.

Operationally notable items include:

• A NetWeaver/S/4 authorization gap around customer extension tooling that introduces a new authorization object requirement (expect role adjustments).
• Multiple “system information disclosure” fixes in ST-PI / support tooling function modules—low severity individually, but relevant because attackers use system intelligence to accelerate later compromise.
• Workflow authorization logic correction introducing new activity separation (requires careful authorization validation post-implementation).

Web UI Injection and Redirect Patterns (BSP / SolMan / BusinessObjects)

A recurring pattern is incomplete input handling in web-delivered interfaces:

• Open redirects and XSS in BSP-based apps (including DMS-related pages and Solution Manager test automation components).
• Stored XSS in BusinessObjects CMC contexts where administrative users can inject script content.

These are often “medium” by CVSS, but they matter because they are frequently used for:

• Credential theft inside trusted corporate applications,
• Lateral movement by leveraging user trust in internal SAP URLs.

Information Disclosure and Sensitive Data Handling (Client, Browser, API)

Multiple notes address leakage through “convenience features” or exposed endpoints:

• SAP GUI for HTML storing user input history in the browser: the fix moves toward encrypted storage; the practical risk remains highest on unmanaged endpoints or shared hosts.
• SAP Business One client memory dumps: SAP reduces credential presence in memory, but customers should still treat dump generation and sharing as a high-risk behavior.
• SAP Commerce Cloud OCC endpoints returning more information than intended (with a breaking-change toggle introduced): customers should review whether toggles are being disabled for convenience.

Stability and Integrity Concerns (Kernel/ICM, Commerce cart behavior, admin tools)

Several notes are about preventing outages or integrity anomalies:

• A low-severity memory corruption/leak issue in ICM (kernel patch).
• Commerce “add-to-cart” race condition leading to incorrect product values at checkout—low on CVSS, high on fraud potential in specific commerce models.
• BusinessObjects AdminTools query path that can crash CMS (authenticated DoS).

Defender’s Perspective: What This Patch Day Tells Us

This month reinforces three defensive realities SAP customers should internalize:

1. The most dangerous bugs are still in trusted pathways. RFC execution, signature verification, and “trusted endpoints” are control-plane surfaces. Attackers don’t need exotic payloads if authorization and trust enforcement are inconsistent.
2. Availability attacks are increasingly practical in SAP-adjacent platforms. BusinessObjects DoS issues show that attackers can cause meaningful disruption without credentials. If you’ve unintentionally exposed internal interfaces or failed to enforce mutual authentication between tiers.
3. Third-party libraries remain a recurring risk multiplier. Commerce Cloud’s Jersey issue and AS Java’s deserialization-related remediation are reminders that “SAP security” often means tracking the security posture of embedded ecosystems—not only ABAP code.

Strategically, customers should treat Patch Tuesday as one layer in a broader program: reduce exposure first, then patch quickly, then validate continuously. The organizations that struggle month over month are usually those with internet-facing SAP components and weak network trust boundaries, not those with the lowest patch velocity.

Final Recommendations

• Treat the two Critical notes as immediate priorities:
  • 3697099 (CRM/S4 Scripting Editor code injection): Patch and strongly consider disabling the legacy SICF service if not required.
  • 3674774 (RFC authorization enforcement): Apply the kernel-level correction and validate the parameter/enforcement behavior in a controlled rollout.
• For BusinessObjects BI Platform, prioritize availability protection:
  • Patch the unauthenticated DoS issues (3654236, 3678282) and ensure trusted/internal endpoints are not reachable from user networks or the internet.
  • Implement mutual authentication between tiers where SAP provides it; treat internal “trusted endpoints” as privileged interfaces.
• Address identity and signed XML risk next:
  • 3697567 (XML signature wrapping) should be prioritized in any landscape using SAML/WS-Security on ABAP. If you cannot patch quickly and SAML is involved, plan for compensating controls that reduce exposure.
• Don’t stop at patching:
  • Reduce attack surface (ICF service hygiene, BI tier segmentation, RFC reachability minimization).
  • Tighten least privilege (especially S_RFC and admin workflows).
  • Improve detection: monitor for abnormal RFC patterns, BI service restart loops, and suspicious identity/token behaviors.