Skip to main content

SAP June 2026 Patch Day: CVSS 9.9 SAML Authentication Flaw Threatens Every NetWeaver Deployment

SAP released 15 security notes on June 9, 2026, with four critical vulnerabilities. The worst, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping flaw in SAML authentication that lets an attacker forge identity across an entire SAP landscape. A second CVSS 9.8 flaw allows unauthenticated memory corruption in the ABAP kernel via RFC requests.

By TozenNews Editorial Team5 min read
SAP June 2026 Patch Day: CVSS 9.9 SAML Authentication Flaw Threatens Every NetWeaver Deployment

SAP June 2026 Patch Day: CVSS 9.9 SAML Authentication Flaw Threatens Every NetWeaver Deployment

SAP released 15 new security notes on June 9, 2026, as part of its monthly Security Patch Day. Four of those notes addressed critical vulnerabilities in SAP NetWeaver and SAP Commerce Cloud. The most severe, CVE-2026-44748, carries a CVSS score of 9.9 and allows an attacker to forge authentication credentials across an entire SAP landscape. For most enterprises running SAP, this is not a niche threat: it sits in the login layer that every user and every integrated system depends on.

What CVE-2026-44748 actually does

The vulnerability is an XML Signature Wrapping flaw in the SAML authentication stack of SAP NetWeaver AS ABAP and the ABAP Platform. SAML is the protocol that enables single sign-on and federated identity across enterprise applications. An authenticated attacker with normal, user-level access can obtain a valid signed SAML message, alter its XML structure, and send the modified document back to the verifier. Because the verification logic does not properly check the cryptographic signature against the full XML document, it accepts the tampered identity information as legitimate.

The practical outcome is that an attacker who has compromised any standard user account can impersonate other users, escalate privileges, and access data across HR, finance, and supply chain modules. SAP_BASIS versions 702 through 919 are affected, which covers virtually every supported NetWeaver release currently in production. The Cyber Security Agency of Singapore and the Canadian Centre for Cyber Security both issued advisories urging immediate patching. A public proof-of-concept exploit appeared on GitHub shortly after disclosure.

For organizations that cannot patch immediately, SAP has documented a temporary workaround: disable SAML authentication until Security Note 3746332 can be applied. This is a significant operational decision in environments that rely on SSO, so patch scheduling should be the first conversation.

The second critical flaw: unauthenticated memory corruption

Close behind in severity is CVE-2026-27671, rated CVSS 9.8, in the SAP Kernel used by Application Server ABAP. This one requires no authentication. An attacker who can reach an SAP application server over the network can send a crafted RFC request that exploits logical errors in kernel memory management, potentially causing a buffer overflow, heap corruption, arbitrary code execution, or a system crash.

There is no workaround for this flaw. The only remediation is a kernel patch, which requires Basis team planning and a scheduled maintenance window. CISA's advisory also flagged CVE-2026-27671 as automatable, meaning it can be exploited at scale without manual effort per target. That classification significantly raises the urgency for organizations that have not yet applied the kernel update.

Two more critical notes round out the patch set

CVE-2026-22732, rated CVSS 9.1, affects SAP Commerce Cloud and SAP Data Hub through a vulnerability in the Spring Security framework. Under certain conditions, the application fails to write HTTP security response headers, leaving sessions exposed to connection hijacking and information disclosure. CVE-2026-40128, rated CVSS 9.0, is a directory traversal flaw in the SAP NetWeaver AS Java Web Container. Unauthenticated attackers can craft malicious HTTP logon requests that escape the intended file context, potentially accessing sensitive files or causing denial-of-service conditions. Neither flaw has a workaround; both require the SAP-provided patch.

The broader picture for SAP security in 2026

SAP's June 2026 patch cycle reflects a pattern that has defined SAP security for the past several years. The most dangerous vulnerabilities rarely appear in obscure add-on products. They sit in the foundational layers: the kernel, the authentication path, the application server. A flaw in the login layer and one in the kernel, in the same month, removes two assumptions that SAP security posture normally relies on: that users are who they claim to be, and that the runtime itself has not been corrupted.

According to SAPinsider's ERP Migration and Transformation 2026 report, 55% of organizations have deployed SAP S/4HANA or SAP cloud, but only 34% have fully transitioned. The majority still run hybrid landscapes where classic ABAP and NetWeaver components carry critical business processes alongside newer systems, and those classic components need to be patched on the same cadence.

Managing SAP security at this pace requires more than reactive patching. It requires continuous visibility into which systems are running which kernel and BASIS versions, automated prioritization of HotNews notes, and tested rollback procedures when kernel updates affect production stability. Teams looking for structured support in building that capability can explore what specialized SAP security firms offer. tozenLabs, for instance, works with organizations on SAP landscape security assessments and patch management frameworks, the kind of proactive approach that separates teams who contain an incident like CVE-2026-44748 from those still discovering it months later.

Action items for SAP Basis and security teams

Apply SAP Security Note 3746332 for CVE-2026-44748 across all NetWeaver and ABAP Platform instances running SAP_BASIS 702 through 919. If patching is delayed, disable SAML authentication as an interim measure and rotate SAML signing keys with every federated identity provider. For CVE-2026-27671, schedule the kernel patch as soon as operationally possible and test SAML integrations after applying the update. For CVE-2026-40128 and CVE-2026-22732, apply the respective notes and verify that any affected Java or Commerce Cloud endpoints are not directly reachable from untrusted networks until patched.

All four critical notes are published on SAP's security notes overview portal. Teams should also review the five in-between notes released after June 9, including the updated malicious npm package advisory for SAP Cloud Application Programming Model.

Filed under:Technology