SAP’s July 2026 Security Patch Day addresses 16 vulnerabilities across its product portfolio, with three rated Critical. The most severe — CVE-2026-44747 — is a memory corruption flaw in SAP NetWeaver Application Server ABAP (the runtime environment powering nearly all SAP enterprise software), carrying a CVSS score of 9.9. A second Critical bug (CVE-2026-27690) affects SAP Approuter, a widely deployed Node.js middleware library for SAP Business Technology Platform cloud applications, enabling HTTP Request Smuggling. A third Critical flaw (CVE-2026-44761) in SAP Commerce Cloud involves default credentials that expose API access tokens. None of these bugs have been confirmed exploited in the wild as of July 14, but SAP flaws have been added to the CISA KEV catalog 14 times since 2021, including two exploited by ransomware groups.

What the Vulnerabilities Are

CVE-2026-44747 — SAP NetWeaver AS ABAP Memory Corruption (CVSS 9.9)

An out-of-bounds write weakness in the NetWeaver Application Server ABAP runtime. SAP’s advisory states: “SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability.”

The CVSS vector indicates: Network-based attack, low complexity, low privilege required (just an authenticated SAP user account), no user interaction. High impact on confidentiality, integrity, and availability. Scope is changed — meaning a compromised component can affect resources beyond its original security boundary. This is the reason for the elevated 9.9 score despite an authentication requirement: a low-privileged user can trigger consequences that extend beyond the ABAP server itself.

SAP NetWeaver AS ABAP is the runtime and application server layer that underlies essentially every SAP ERP, S/4HANA, and BW deployment. It handles business logic, HTTP interfaces, RFC calls, and batch processing. Internet-facing SAP NetWeaver systems are among the highest-value targets for sophisticated threat actors.

Remediation: SAP Security Note 3747367. Apply to affected kernel versions:

  • KRNL64NUC 7.22 and 7.22EXT
  • KRNL64UC 7.22, 7.22EXT, 7.53, 7.54
  • Kernel 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, 9.20

CVE-2026-27690 — SAP Approuter HTTP Request Smuggling (Critical)

SAP Approuter is a Node.js-based middleware library used by applications deployed on SAP Business Technology Platform (SAP BTP). Unauthenticated attackers can send specially crafted HTTP requests to trigger HTTP Request Smuggling — exploiting discrepancies between how the Approuter and a backend server parse HTTP transfer-encoding headers.

Real-world impact: request smuggling enables cache poisoning, session hijacking, bypassing security controls, and accessing user responses intended for other clients. No authentication is required. If your SAP BTP applications use Approuter (the default architecture), this is an unauthenticated attack vector.

Remediation: Patch Approuter via your SAP BTP deployment pipeline. Check the SAP Security Note referenced in SAP Note 3747367 for the specific Approuter version fix.

CVE-2026-44761 — SAP Commerce Cloud Default Credentials (Critical)

The SAP Commerce Cloud enterprise e-commerce platform ships default credentials that allow attackers to obtain valid access tokens and use them to read or modify data via certain APIs. “Default credentials” means an attacker who knows the defaults (e.g., via documentation, GitHub, or prior exposure) can authenticate without any specific knowledge of your environment.

Remediation: Change all default credentials in SAP Commerce Cloud after applying the July 2026 security update. Audit API token scopes and revoke any tokens that should not have read/write access.

Why It Matters

  • CVSS 9.9 with only “low privileges required” is a dangerous combination. An attacker with any valid SAP user account — even a read-only account — can trigger memory corruption that cascades beyond the ABAP server.
  • SAP runs 99 of the world’s 100 largest companies. Any internet-exposed SAP NetWeaver instance is a crown-jewel target. The Lazarus Group, ransomware operators, and other sophisticated threat actors have repeatedly targeted unpatched SAP systems.
  • HTTP Request Smuggling in Approuter (CVE-2026-27690) is unauthenticated. BTP-hosted applications using Approuter — which is the standard architecture — are exposed to session hijacking and access-control bypass with no credentials.
  • CISA has added 14 SAP flaws to KEV since 2021, including two exploited by ransomware groups. SAP bugs move from “patched, no exploitation” to “actively exploited” historically within weeks of disclosure.
  • SAP Commerce Cloud default credentials (CVE-2026-44761) represents the kind of “trivial to exploit” flaw that automated scanners will pick up immediately. If any internet-facing Commerce Cloud instance has factory credentials intact, it can be compromised by a script, not just a skilled attacker.

Am I Affected?

CVE-2026-44747 (ABAP): You are affected if you run SAP NetWeaver Application Server ABAP with any of these kernel versions: KRNL64NUC 7.22/7.22EXT, KRNL64UC 7.22/7.22EXT/7.53/7.54, Kernel 7.77/7.89/7.93/9.16/9.18/9.19/9.20. Check your ABAP system kernel version in transaction SM51 or in the SAP kernel info file.

CVE-2026-27690 (Approuter): You are affected if your applications on SAP BTP (Business Technology Platform) use Approuter as the Node.js middleware layer, which is the default for MTA-deployed BTP apps. Check your package.json or mta.yaml for the @sap/approuter dependency version.

CVE-2026-44761 (Commerce Cloud): You are affected if you run SAP Commerce Cloud (Hybris) and have not changed default platform/system credentials since initial deployment.

What to Do About It: Step-by-Step

SAP NetWeaver AS ABAP (CVE-2026-44747):

  1. Log into the SAP Support Portal at support.sap.com and locate SAP Security Note 3747367.
  2. Identify your ABAP system kernel version via transaction SM51 → select the server → System Info → Kernel Version.
  3. Download the corrected kernel from SAP Service Marketplace matching your kernel release and platform.
  4. Apply the kernel update during a maintenance window (requires ABAP system downtime):
    # On the SAP host, stop the SAP system
    sapcontrol -nr <instance> -function Stop
    # Replace kernel binaries in <sap_dir>/exe/
    # Restart
    sapcontrol -nr <instance> -function Start
  5. Verify the kernel version with sm51 → kernel info after restart.

SAP Approuter (CVE-2026-27690):

  1. In your BTP application source, update @sap/approuter to the patched version listed in the SAP Security Note for CVE-2026-27690.
  2. Rebuild and redeploy your MTA application:
    npm update @sap/approuter
    mbt build
    cf deploy <mtar-file>
  3. Confirm the running Approuter version in the BTP Cockpit under your application’s environment details.

SAP Commerce Cloud (CVE-2026-44761):

  1. Apply the July 2026 SAP Commerce Cloud security update via your CCV2 cloud deployment pipeline.
  2. Immediately after patching: rotate all default credentials. Check and change:
    • Platform admin password (admin account in Backoffice)
    • Solr admin credentials
    • JDBC and datasource credentials
    • Any pre-configured integration API credentials
  3. Audit all OAuth clients and API tokens — revoke any tokens with broader scopes than necessary.

Quick-Win Checklist

  • Identified all SAP NetWeaver AS ABAP systems and noted their kernel versions (SM51)
  • Applied SAP Security Note 3747367 (kernel patch for CVE-2026-44747)
  • Verified ABAP kernel version post-patch in SM51
  • Updated @sap/approuter to patched version in all BTP applications (CVE-2026-27690)
  • Redeployed affected BTP MTA applications
  • Applied SAP Commerce Cloud July 2026 security update (CVE-2026-44761)
  • Rotated all Commerce Cloud default credentials (Backoffice admin, Solr, JDBC, OAuth clients)
  • Reviewed CISA KEV catalog for SAP entries and confirmed your environment is patched for all 14 previously added SAP CVEs

Sources