SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce Cloud
SAP releases 19 security notes, patching critical flaws in NetWeaver, Approuter, and Commerce Cloud.
Summary
SAP has released 19 new and updated security notes, including patches for critical vulnerabilities in NetWeaver, Approuter, and Commerce Cloud. The most severe, CVE-2026-44747, is a memory corruption bug in NetWeaver Application Server ABAP with a CVSS score of 9.9, potentially allowing data access, modification, and system unavailability. Other critical flaws include an HTTP request smuggling issue in Approuter (CVE-2026-27690) and a hardcoded credential vulnerability in Commerce Cloud (CVE-2026-44761).
Full text
Enterprise software maker SAP on Tuesday announced the release of 19 new and updated security notes as part of its July 2026 security patch day. The most severe of the resolved vulnerabilities is CVE-2026-44747 (CVSS score of 9.9), a memory corruption bug in NetWeaver Application Server ABAP. Successful exploitation of the security defect could allow an attacker to access and modify data, and cause system unavailability, SAP security firm Onapsis explains. SAP customers are strongly advised to apply the fresh patches to resolve the flaw, but can also “disable all ICF nodes with a specific property in transaction SICF” as a temporary workaround. The second security note released on SAP’s July 2026 security patch day fixes a critical HTTP request smuggling issue in Approuter, tracked as CVE-2026-27690 (CVSS score of 9.1). “The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization,” Onapsis says.Advertisement. Scroll to continue reading. Another critical-severity vulnerability was addressed in Commerce Cloud. Tracked as CVE-2026-44761 (CVSS score of 9.1), it is described as a hardcoded credential issue and could lead to unauthorized data access and modification. The bug is related to sample configuration scripts that were previously provided in the SAP Help Portal for development and testing, and which configure OAuth2 clients with known credentials. An unauthenticated attacker could abuse these credentials to obtain an access token that allows them to invoke specific APIs. This enables the attacker to read and tamper with system data. “Exploitation requires that the customer execute the sample script and retain the resulting OAuth2 client in production without replacing the hardcoded secret. Customers who removed the sample client or replaced the secret with a strong, unique value are not affected,” Onapsis notes. Older SAP documentation for Commerce Cloud did not warn customers against importing the default settings into production. The note addresses the lapse, but customers are advised to audit their production environments for the presence of the hardcoded credentials in sample OAuth2 clients. On Tuesday, SAP also updated a security note addressing a critical NetWeaver vulnerability initially patched in June, to provide support for additional packages. Additionally, the company released six security notes that address high-severity security defects across Integration Suite (Edge Integration Cell), SAProuter, NetWeaver Application Server Java (Configuration Wizard), Approuter, Commerce Cloud, and Change and Transport System Attach Tool (ctsattach). The notes for Integration Suite and Commerce Cloud contain patches for multiple Apache Camel and Apache Tomcat security bugs. The remaining new and updated notes released on SAP’s July 2026 security patch day address medium- and low-severity flaws across NetWeaver, S/4HANA, Fiori, CRM, and HANA Extended Application Services Classic Model. Related: RabbitMQ Vulnerability Threatens Enterprise Systems Related: Zimbra Patches Critical Code Execution Vulnerability Related: SAP Patches Critical NetWeaver, Commerce Vulnerabilities Related: SAP Patches Critical S/4HANA, Commerce Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Organizations Warned of Exploited Joomla Extension VulnerabilitiesProgress Prompts ShareFile Storage Zone Controller Shutdown Amid Security ConcernsGhost Accounts Abuse GitHub API in Mass Recon CampaignOkta Warns of Vishing Attacks Targeting Microsoft 365 CustomersGigaWiper Combines Multiple Malware for System-Level SabotageNetwork of 200 GitHub Repositories Used for Malware Infection12 Million Impacted by Data Breach at Japanese Telco KDDI15-Year-Old Linux Vulnerability ‘GhostLock’ Earns Researchers $92k From Google Latest News US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure RoutersValarian Raises $50 Million for Sovereign Infrastructure Control LayerMultiple Jscrambler Packages Impacted by Supply Chain AttackPentagon Suspends CMMC Phase 2 as It Rethinks Contractor Cybersecurity RulesHacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker to RedemptionCybersecurity M&A Roundup: 37 Deals Announced in June 2026RabbitMQ Vulnerability Threatens Enterprise SystemsZimbra Patches Critical Code Execution Vulnerability Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveBlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.Solana Foundation has appointed Michael Coates as Chief Information Security Officer.Michael Sikorski has joined Coinbase as Chief Information Security Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-44747
- cve — CVE-2026-27690
- cve — CVE-2026-44761