SAP warns of critical flaws in NetWeaver and Commerce Cloud
SAP patches 16 vulnerabilities including 3 critical flaws in NetWeaver, Commerce Cloud, and AppRouter.
Summary
SAP released security updates addressing 16 vulnerabilities in July 2026, including three critical flaws: CVE-2026-44747 (memory corruption in NetWeaver AS ABAP), CVE-2026-27690 (HTTP Request Smuggling in AppRouter), and CVE-2026-44761 (default credentials in Commerce Cloud). The updates also address six high-severity, seven medium-severity, and one low-severity issues across multiple product lines, though no active exploitation has been confirmed yet.
Full text
SAP warns of critical flaws in NetWeaver and Commerce Cloud By Sergiu Gatlan July 14, 2026 07:42 AM 0 SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter. The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software. "SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability," SAP says. "This has high impact on confidentiality, integrity, and availability of the application." The second one (CVE-2026-27690) is an HTTP Request Smuggling vulnerability in SAP Approuter, a Node.js-based middleware library for cloud-based apps deployed on the company's Business Technology Platform (SAP BTP). Unauthenticated attackers can exploit this flaw via specially crafted HTTP requests to access user responses and trigger denial-of-service attacks on the targeted system. The third critical flaw addressed today (tracked as CVE-2026-44761) was found in the SAP Commerce Cloud enterprise e-commerce platform and stems from default credentials that enable attackers to get valid access tokens and read or modify data via certain APIs. SAP's July 2026 advisory also lists fixes for six high-severity flaws, seven medium-severity ones, and one low-severity vulnerability, including DLL hijacking, open redirect, missing authorization checks, remote code execution, cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations. While the company has yet to find evidence that the vulnerabilities patched today have been exploited in attacks, CISA has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog since November 2021, including two that were abused by ransomware gangs. Most recently, SAP fixed 15 vulnerabilities as part of its June 2026 Security Patch package, and attackers compromised multiple official SAP npm packages in a supply chain attack aimed at stealing credentials from developers' systems. The German multinational software corporation has reported total revenues exceeding €36 billion in fiscal year 2025 and servers 99 of the 100 largest companies worldwide. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: SAP fixes critical flaws in NetWeaver and Commerce CloudCISA warns of actively exploited RCE flaws in Joomla extensionsHackers exploit critical auth bypass in Gitea Docker imageZimbra urges customers to patch critical web client XSS flawGoogle: Hackers exploited Zimbra zero-day in attacks on govt orgs
Indicators of Compromise
- cve — CVE-2026-44747
- cve — CVE-2026-27690
- cve — CVE-2026-44761