SAP Patches Critical ABAP Vulnerability

Summary

SAP released 20 new and updated security notes on Tuesday addressing vulnerabilities across over a dozen enterprise products. The most critical flaw is CVE-2026-27681 (CVSS 9.9), a SQL injection vulnerability in Business Planning and Consolidation and Business Warehouse that allows low-privileged users to upload files containing arbitrary SQL statements leading to code execution, data theft, and database tampering. Additional high and medium-severity flaws were patched in S/4HANA, ERP, BusinessObjects, NetWeaver, and other SAP products, with no current evidence of in-the-wild exploitation.

Full text

SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day. The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. “The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains. According to Pathlock senior product manager Jonathan Stross, the upload functionality could be exploited for direct database abuse, allowing an attacker to read and tamper with data without user interaction. “In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption,” Stross said. According to Onapsis, SAP resolved the issue by completely deactivating the executable code.Advertisement. Scroll to continue reading. On Tuesday, SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs. Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure, denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content, or code execution in the victim’s browser. The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application, and S4CORE. The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation. SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the security notes as soon as possible. Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities Related: SAP Patches Critical Vulnerabilities With December 2025 Security Updates Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Fake Claude Website Distributes PlugX RATGmail Brings End-to-End Encryption to Android and iOS for Enterprise UsersJuniper Networks Patches Dozens of Junos OS VulnerabilitiesOrthanc DICOM Vulnerabilities Lead to Crashes, RCEMITRE Releases Fight Fraud FrameworkCritical Marimo Flaw Exploited Hours After Public DisclosureGoogle Rolls Out Cookie Theft Protections in ChromeGoogle API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Latest News Triad Nexus Evades Sanctions to Fuel CybercrimeGoogle Adds Rust DNS Parser to Pixel Phones for Better SecurityNightclub Giant RCI Hospitality Reports Data BreachOrganizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesBooking.com Says Hackers Accessed User InformationBrowserGate: Claims of LinkedIn ‘Spying’ Clash With Security Research FindingsOpenAI Impacted by North Korea-Linked Axios Supply Chain HackInternational Operation Targets Multimillion-Dollar Crypto Theft Schemes Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveThe United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure.Black Duck has named Dom Glavach as Chief Information Security Officer.Finite State has named Ann Miller as Vice President of Marketing.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-27681
• cve — CVE-2026-34256

Entities