SAP June 2026 Patch Day: A 9.9-Rated SAML Authentication Bypass You Cannot Ignore
On June 9, 2026, SAP released 15 security notes as part of its monthly Patch Day. Four carry critical severity scores. The headline vulnerability, CVE-2026-44748, is an XML Signature Wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform, scored at CVSS 9.9. An authenticated attacker with ordinary user privileges can manipulate signed XML documents so the system accepts tampered identity data as legitimate.
That is an authentication bypass. An attacker who holds a valid account, or who has obtained one through credential theft, can forge SAML assertions the server accepts as genuine. The result is unauthorized access to sensitive data, privilege escalation, and potential disruption of normal operations across any SAP system using SAML for single sign-on, federated identity, or web service security. SAP_BASIS versions 702 through 919 are affected. That covers the majority of active production SAP landscapes.
The second critical flaw may be operationally worse
CVE-2026-27671, scored at CVSS 9.8, is a memory corruption vulnerability in the Application Server ABAP kernel. Unlike the SAML flaw, this one requires no authentication at all. An unauthenticated attacker who can reach the SAP application server over the network can send a crafted RFC request that triggers logical errors in kernel memory management, potentially causing a buffer overflow, application crash, or arbitrary code execution.
There is no workaround for CVE-2026-27671. The only fix is a kernel update. Organizations that cannot immediately schedule a maintenance window are exposed to an unauthenticated remote code execution path in the foundational SAP infrastructure layer. For most security teams, that should override any other patching priority this month.
Two additional critical notes complete June's picture
CVE-2026-22732, scored at CVSS 9.1, affects SAP Commerce Cloud and SAP Data Hub through a Spring Security vulnerability. It weakens HTTP security header enforcement and could expose externally reachable commerce services to confidentiality and integrity compromise. CVE-2026-40128, scored at CVSS 9.0, is a directory traversal flaw in the SAP NetWeaver Application Server Java Web Container. An unauthenticated attacker can manipulate HTTP logon requests to escape the intended application directory and access or modify sensitive system files.
The broader threat context SAP teams need to understand
An authentication bypass and an unauthenticated remote code execution flaw shipping in the same patch cycle, both in components that underpin nearly every SAP landscape, is not a routine month. SAP security researchers have noted that AI-assisted attack tools in 2026 can analyze newly released patches and generate working exploit code within hours of publication. That compresses the window between SAP's monthly release and real-world exploitation from weeks to days.
Organizations running SAP environments need continuous, automated security posture monitoring that goes beyond monthly manual patch review. Specialized SAP security monitoring platforms, such as those developed by teams like TozenLabs, are increasingly relevant as this gap between patch release and active exploitation shortens month by month. The recommended triage order for June 2026 is: apply the SAML XML Signature fix immediately across all affected SAP_BASIS versions, use the temporary workaround of disabling SAML authentication only as an emergency bridge where patching cannot happen immediately, then schedule the ABAP kernel update to close the unauthenticated RFC vector. The Commerce Cloud Spring Security and NetWeaver Java directory traversal notes follow directly behind.
SAP's patch history across 2026 shows consistent targeting of foundational layers: RFC handling, authentication paths, and kernel-level memory management. Security teams treating SAP patching as routine scheduled maintenance are operating at the wrong risk level for current enterprise threat conditions.