SAP has released its July 2026 Security Patch Day updates, fixing 16 vulnerabilities across multiple enterprise products. While monthly security updates are routine for SAP customers, this month’s release stands out because it includes three critical vulnerabilities affecting SAP NetWeaver Application Server ABAP, SAP Approuter, and SAP Commerce Cloud.
Although SAP says it has not observed active exploitation of these vulnerabilities at the time of publication, the company’s software has repeatedly become a target for cybercriminals in recent years. Given how widely SAP products are deployed across governments, banks, healthcare providers, manufacturers, retailers, and Fortune 500 companies, security teams are being urged to prioritize these updates before attackers begin weaponizing them.

Three Critical Vulnerabilities Lead the July Security Updates
Among the 16 vulnerabilities fixed this month, three have been classified as Critical due to the potential impact on enterprise environments.
These flaws affect both traditional on-premises SAP deployments and cloud-based services, expanding the range of organizations that could be exposed if updates are delayed.
Critical NetWeaver Memory Corruption Vulnerability (CVE-2026-44747)
The most serious issue addressed in this month’s release is CVE-2026-44747, a memory corruption vulnerability affecting SAP NetWeaver Application Server ABAP (AS ABAP).
NetWeaver serves as one of SAP’s core technology platforms. It powers numerous SAP business applications, making it one of the most widely deployed components across enterprise environments.
According to SAP, the vulnerability originates from an out-of-bounds write caused by errors in memory management.
An authenticated attacker could exploit this weakness to corrupt application memory, potentially allowing:
- Unauthorized access to sensitive enterprise data
- Modification of business information
- Application crashes
- Service disruption
- Loss of system availability
Because the vulnerability affects confidentiality, integrity, and availability simultaneously, SAP has assigned it a Critical severity rating.
Organizations that rely heavily on SAP ERP systems should treat this update as a high priority, especially where multiple users have authenticated access to NetWeaver environments.
SAP Approuter Vulnerable to HTTP Request Smuggling (CVE-2026-27690)
The second critical issue, CVE-2026-27690, affects SAP Approuter, the Node.js-based middleware used within the SAP Business Technology Platform (SAP BTP).
Approuter acts as a gateway between users and cloud applications, handling authentication, routing, and request forwarding.
The vulnerability is an HTTP Request Smuggling flaw.
HTTP Request Smuggling occurs when front-end and back-end servers interpret HTTP requests differently. By crafting specially designed requests, attackers can manipulate how traffic flows through the application infrastructure.
According to SAP, successful exploitation could allow unauthenticated attackers to:
- Access responses intended for other users
- Interfere with application traffic
- Trigger denial-of-service conditions
- Manipulate request handling
Because exploitation does not require authentication, organizations exposing SAP cloud services to the internet should prioritize patching affected systems.
Default Credentials Found in SAP Commerce Cloud (CVE-2026-44761)
The third critical vulnerability, CVE-2026-44761, impacts SAP Commerce Cloud, SAP’s enterprise e-commerce platform used by retailers and large online businesses.
Unlike the previous vulnerabilities, this issue stems from default credentials remaining present in certain deployments.
If left unchanged, attackers could use these credentials to obtain valid access tokens and interact with specific APIs.
SAP warns that exploitation may allow attackers to:
- Read sensitive business information
- Modify application data
- Access protected APIs
- Perform unauthorized operations using valid authentication tokens
While default credentials are a well-known security risk, they continue to appear in enterprise software and remain a common entry point during real-world attacks.
Organizations should ensure that all default credentials are removed or replaced immediately after deployment.
Additional High-Severity Vulnerabilities Fixed
Beyond the three critical issues, SAP’s July Security Patch Day also resolves six High severity, seven Medium severity, and one Low severity vulnerabilities.
The fixes span a broad range of security weaknesses commonly targeted by attackers, including:
- DLL hijacking
- Remote code execution
- SQL injection
- Cross-site scripting (XSS)
- Missing authorization checks
- Path traversal
- Open redirects
- Information disclosure
- Denial-of-service
- Security misconfigurations
While these flaws vary in severity, organizations should review SAP’s security notes carefully to determine which products are deployed within their environments.
No Known Exploitation Yet, But SAP Has Been Targeted Before
SAP says it has not identified evidence that any of the newly patched vulnerabilities are currently being exploited.
However, history suggests organizations should not become complacent.
Since November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 14 SAP vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that attackers have actively abused multiple SAP security flaws in real-world attacks.
Several of those vulnerabilities have been linked to ransomware operations, where threat actors targeted exposed SAP servers to gain initial access into enterprise networks.
Once public technical details become available, attackers frequently begin scanning the internet for vulnerable systems that have not yet been updated.
This makes rapid patch deployment particularly important following every SAP Security Patch Day.
SAP’s Recent Security Challenges Continue
July’s security updates arrive only weeks after another busy month for SAP’s security teams.
In June 2026, SAP released patches addressing 15 additional vulnerabilities, including critical issues affecting NetWeaver and Commerce Cloud.
Around the same period, SAP also disclosed a supply chain compromise involving multiple official npm packages. Attackers modified legitimate SAP packages in an attempt to steal developer credentials from systems that downloaded the malicious updates.
While the two incidents are unrelated, together they highlight how enterprise software vendors continue to face attacks targeting both their infrastructure and their customers.
Why These Updates Matter
SAP software sits at the heart of business operations for thousands of organizations worldwide.
Financial transactions, payroll systems, manufacturing processes, inventory management, procurement, customer databases, and supply chains often depend on SAP applications functioning securely.
Because of this central role, vulnerabilities in SAP software can have consequences far beyond a single application.
A successful compromise may expose sensitive corporate data, interrupt critical business operations, or provide attackers with a foothold inside enterprise networks.
Even vulnerabilities that require authentication deserve immediate attention, as attackers frequently chain multiple weaknesses together after gaining initial access through phishing, credential theft, or compromised accounts.
What Organizations Should Do
Security teams using SAP products should review the July 2026 Security Patch Day notes and identify whether any deployed systems are affected.
Recommended actions include:
- Apply SAP’s July 2026 security updates as soon as possible.
- Prioritize systems running SAP NetWeaver, SAP Approuter, and SAP Commerce Cloud.
- Remove or replace any default credentials immediately.
- Review authentication logs for unusual activity.
- Restrict internet exposure wherever possible.
- Monitor SAP systems for unexpected API access or abnormal behavior following patch deployment.
Organizations operating mission-critical SAP environments should also verify that patch deployment has completed successfully across development, testing, and production systems.
FAQs
what is CVE-2026-44747?
CVE-2026-44747 is a critical memory corruption vulnerability (CVSS 9.9) in SAP NetWeaver Application Server ABAP, caused by an out-of-bounds write in the SAP kernel. An authenticated attacker can trigger it to corrupt memory, potentially leading to unauthorized data access, modification, or system unavailability. SAP patched it in Security Note 3747367.
SAP Approuter CVE-2026-27690?
CVE-2026-27690 is a critical HTTP request smuggling vulnerability (CVSS 9.1) in SAP Approuter versions before 20.10.0. It allows an unauthenticated attacker to send crafted HTTP requests that bypass front-end security controls or manipulate how backend systems process requests. It primarily affects non-Cloud Foundry Approuter deployments.
SAP Commerce Cloud default credentials vulnerability?
CVE-2026-44761 is a critical vulnerability (CVSS 9.1) in SAP Commerce Cloud caused by publicly documented sample OAuth2 client credentials that were sometimes carried into production environments. An unauthenticated attacker who knows these credentials can obtain a valid access token and use it to read or modify data through certain APIs.









