Skip to main content

SAP July 2026 Patch Day: Critical NetWeaver ABAP Flaw CVE-2026-44747 Scores 9.9 — Patch Now

SAP released 16 security notes on July 14 including a CVSS 9.9 memory corruption vulnerability in NetWeaver AS ABAP. A low-privileged authenticated attacker can exploit it to access or corrupt data, or crash affected systems. Two more critical flaws in Approuter and Commerce Cloud round out a patch day that demands immediate attention from SAP administrators.

By TozenNews Editorial Team4 min read

SAP July 2026 Patch Day: Critical NetWeaver ABAP Flaw CVE-2026-44747 Scores 9.9 — Patch Now

SAP released its July 2026 security updates on July 14, delivering 16 new Security Notes and one GitHub security advisory, alongside updates to three previously released notes. The release covers memory corruption, HTTP request smuggling, directory traversal, insecure credentials, SQL injection, and cross-site scripting across products including NetWeaver, Approuter, Commerce Cloud, S/4HANA, Integration Suite, and Fiori.

The most severe issue is CVE-2026-44747, a memory corruption vulnerability in SAP NetWeaver Application Server ABAP with a CVSS score of 9.9. That score is not a rounding error — this is one of the most severe vulnerabilities SAP has disclosed this year, and it sits inside the kernel that runs many business-critical SAP processes.

CVE-2026-44747: what it is and why it matters

The vulnerability stems from an out-of-bounds write weakness (CWE-787). A low-privileged authenticated attacker can trigger logical errors in memory management, leading to unauthorized data access, data modification, or a full system crash. Affected versions span multiple kernel branches: KRNL64NUC 7.22 and 7.22EXT, KRNL64UC 7.22 through 7.53, and KERNEL versions 7.22 through 9.20.

SAP described a temporary workaround — disabling specific ICF nodes via transaction SICF — but noted this also blocks SAP GUI for HTML access. In environments where that trade-off is unacceptable, applying the corrected ABAP kernel is the only real option. Onapsis Research Labs supported SAP in the patch development.

Security teams managing large SAP landscapes with multiple kernel versions across development, quality, and production systems should verify which exact kernel branches are running in each environment rather than relying on asset inventories that may be out of date. Source repositories and container images can contain older versions that do not reflect a recent patching campaign.

Two more critical vulnerabilities in this cycle

CVE-2026-27690, scored at CVSS 9.1, is an HTTP request smuggling vulnerability in SAP Approuter affecting versions prior to 20.10.0. SAP Approuter is a Node.js routing component widely used in cloud application deployments. An unauthenticated attacker can send a crafted HTTP request that causes front-end and back-end components to disagree about request boundaries, potentially exposing other users' responses or degrading availability. The fix is upgrading to version 20.10.0 or later. Teams should also review what version is actually running inside deployed containers and application bundles, since dependency lock files can preserve older versions after a source-level update.

CVE-2026-44761, also at CVSS 9.1, affects SAP Commerce Cloud releases HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21. The issue involves an OAuth2 client that was created using sample credentials documented in SAP Help Portal materials. If an organization ran that configuration script in production and left the default secret in place, an unauthenticated attacker can obtain a valid access token and call sensitive APIs. SAP's fix updates documentation; the actual remediation requires administrators to audit production systems and manually remove or re-credential any OAuth2 clients derived from the sample configuration.

What SAP security teams should do now

Start with CVE-2026-44747. If the temporary SICF workaround would disrupt SAP GUI for HTML workflows, prioritize testing and deploying the corrected kernel instead of running on the workaround for any extended period. For Approuter, verify the running package version across all deployed applications and containers — not just what is listed in source control. For Commerce Cloud, audit OAuth2 clients in production against the documented sample client configuration.

Organizations that need help mapping these notes to their specific SAP landscape and prioritizing remediation across complex multi-system environments can benefit from specialized SAP security advisory support. Services focused on SAP vulnerability management, like those offered by firms such as TozenLabs, can provide the targeted assessment and prioritization guidance that internal teams often lack the capacity to deliver during a high-severity patch cycle like this one.

SAP has confirmed no public proof-of-concept exploits for the July vulnerabilities as of the release date. That window does not stay open long. In 2026, AI-assisted attack tools can reverse-engineer SAP security patches and generate working exploits within hours of release. The patch is available now.

Filed under:Technology