SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA

Summary

SAP released its May 2026 security updates addressing 15 vulnerabilities across multiple products, with two critical flaws affecting Commerce Cloud and S/4HANA. CVE-2026-34263 is an unauthenticated remote code execution in Commerce Cloud due to improper Spring Security configuration, while CVE-2026-34260 is a SQL injection flaw in S/4HANA that allows attackers with basic privileges to access sensitive data. SAP has not observed active exploitation of these flaws, though the vendor has a history of vulnerabilities being abused in the wild, including recent npm supply-chain compromises.

Full text

SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA By Sergiu Gatlan May 12, 2026 07:04 AM 0 SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in Commerce Cloud and S/4HANA. Commerce Cloud is an enterprise-grade e-commerce platform used by online stores owned by large retailers and global brands, while S/4HANA is a cloud-based Enterprise Resource Planning (ERP) suite that will replace the company's on-premises ECC ERP system. Tracked as CVE-2026-34263, the first critical flaw is a missing authentication check in SAP Commerce Cloud that allows unauthenticated attackers to execute code on vulnerable servers. "Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application," SAP says. The second critical vulnerability (CVE-2026-34260) enables attackers with basic privileges to inject malicious SQL statements in low-complexity SQL injection attacks. "The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization," according to SAP. "Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected." SAP's May 2026 security advisory also lists fixes for one high-severity flaw and 11 medium-severity issues, including command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service. While SAP hasn't found evidence that any of the vulnerabilities patched today were exploited in the wild, CISA has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog in recent years, including two that were abused in ransomware attacks. Most recently, multiple official SAP npm packages were compromised in a supply-chain attack aimed at stealing credentials and authentication tokens from developers' systems. As the world's largest vendor of enterprise software, the German multinational software corporation serves 99 of the 100 largest companies worldwide and reported total revenues exceeding €36 billion in fiscal year 2025. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Official SAP npm packages compromised to steal credentialsNVIDIA confirms GeForce NOW data breach affecting Armenian usersNew PCPJack worm steals credentials, cleans TeamPCP infectionsMicrosoft increases Zero Day Quest prize pool to $5 millionHackers use pixel-large SVG trick to hide credit card stealer

Indicators of Compromise

• cve — CVE-2026-34263
• cve — CVE-2026-34260

Entities