SAP Patches Critical 9.9 Flaw in NetWeaver as Enterprise Security Stakes Rise
SAP released its July 2026 Security Patch Day updates on July 14, addressing 16 new security notes and one GitHub advisory. Three of those notes cover critical vulnerabilities. Security teams running SAP environments should treat this patch cycle as urgent, because two of the three critical flaws can be exploited without authentication.
CVE-2026-44747: A 9.9-scored memory corruption bug in NetWeaver ABAP
The most severe issue is CVE-2026-44747, a memory corruption vulnerability in SAP NetWeaver Application Server ABAP, carrying a CVSS score of 9.9. The flaw stems from logical errors in memory management. An authenticated attacker with low privileges can exploit those errors to corrupt memory, which SAP says could lead to unauthorized data access, data modification, or full system unavailability.
The affected kernel versions span a wide range: KRNL64NUC 7.22 through 7.22EXT, KRNL64UC 7.22 through 9.20, and KERNEL 7.22 through 9.20. That covers both legacy and current NetWeaver deployments. SAP recommends patching via Security Note 3747367 and also offers a temporary workaround: disabling all ICF nodes with a specific property in transaction SICF.
NetWeaver AS ABAP is the runtime environment and development platform that underpins a substantial portion of enterprise ERP operations worldwide. SAP serves 99 of the 100 largest companies globally, which gives this particular class of vulnerability an unusually broad blast radius.
CVE-2026-27690: Unauthenticated HTTP request smuggling in SAP Approuter
The second critical flaw is CVE-2026-27690, rated 9.1, affecting SAP Approuter versions prior to 20.10.0. Approuter is the Node.js middleware that routes incoming traffic for applications built on SAP's Business Technology Platform (SAP BTP). No authentication is required to exploit it. An attacker can send a crafted HTTP request that causes request-response desynchronization between front-end proxies and back-end applications, a technique called HTTP request smuggling. The consequences range from bypassing security controls to intercepting other users' session data or taking the service offline.
According to Onapsis, the vulnerability specifically affects Approuter deployments in non-Cloud Foundry environments, though organizations should confirm their configuration against the advisory regardless.
CVE-2026-44761: Default credentials left active in Commerce Cloud
The third critical issue, CVE-2026-44761 (CVSS 9.1), affects SAP Commerce Cloud releases HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21. It traces back to sample OAuth2 credentials that SAP previously included in documentation for development and testing purposes. If those credentials were applied to a production system and never rotated, an unauthenticated attacker can use them to generate valid access tokens and read or modify system data through specific APIs. No elaborate exploit chain required.
SAP notes that customers who removed the sample client or replaced the secret with a unique value are not affected. For everyone else, credential rotation is the immediate action item.
What this patch cycle reflects about SAP security in 2026
This is not an isolated month. CISA has added 14 SAP vulnerabilities to its Known Exploited Vulnerabilities catalog since late 2021, including two that were actively weaponized by ransomware groups. SAP systems are attractive targets for exactly the reason they are valuable to businesses: they hold financial transactions, HR records, supply chain data, and customer master data in one place. A single foothold gives an attacker access to all of it.
In 2026, AI-assisted attack tooling has shortened the window between patch release and working exploit development to hours. That makes rapid patch management on SAP HotNews and critical notes, those rated CVSS 9.0 and above, an operational priority rather than a scheduled maintenance item.
Beyond the three critical notes, the July advisory lists six high-severity fixes covering DLL hijacking in SAProuter on Windows (CVE-2026-0487, CVSS 8.4), remote code execution in SAP Integration Suite (CVE-2026-40860, CVSS 8.8), and an RCE flaw in the Change and Transport System Attach Tool (CVE-2026-58233, CVSS 7.6). SAP says it has found no evidence of active exploitation of this batch as of July 14.
Security teams managing SAP estates should apply the three critical notes without delay, rotate Commerce Cloud OAuth2 credentials, review internet-facing Approuter deployments, and monitor SAP logs for unusual API calls or authentication events. Organizations looking to build a more systematic approach to SAP vulnerability management, from patch prioritization to continuous compliance monitoring, can find specialized ERP security guidance at tozenLabs, a resource focused on SAP security hardening frameworks relevant to exactly the class of threats this patch day represents.