SAP's June 2026 security batch closes 15 vulnerabilities, four of them critical. The two that deserve immediate attention let attackers forge identities in SAML environments or trigger memory corruption with no login at all.
SAP shipped its June 2026 Security Patch package on June 9, fixing 15 vulnerabilities across its product line. Four of them carry critical CVSS scores, and they land in two of the most widely deployed pieces of SAP's stack: the NetWeaver application server and Commerce Cloud. If you run either, this is not a patch cycle to defer to the next maintenance window.
NetWeaver is the foundation under most of SAP's business software, the middleware that handles application serving, integration, authentication, and user management for ERP and dozens of other systems. Commerce Cloud, formerly Hybris, runs online storefronts, product catalogs, customer accounts, and order management for both B2B and B2C operations. A flaw in either one tends to sit close to sensitive data and business-critical processes, which is exactly why the scores this month run so high.
The two flaws to patch first
The standout is CVE-2026-44748 (CVSS 9.9), an XML Signature Wrapping vulnerability in NetWeaver AS ABAP and the ABAP Platform. In plain terms, an authenticated attacker with ordinary privileges can take a legitimately signed XML message, modify it, and get the verifier to accept the tampered version. SAP's own description spells out the consequence: "acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage."
XML Signature Wrapping is an old and stubborn class of bug. The signature on a SAML assertion is valid, but the verifier checks the signature against one element while actually processing a different, attacker-controlled element elsewhere in the document. The cryptography passes, the identity is forged. SAML-based single sign-on environments are the obvious blast radius here, because a forged assertion can mean logging in as someone you are not.
The second priority is CVE-2026-27671 (CVSS 9.8), a memory corruption flaw in the ABAP Platform Application Server. Unlike the signature bug, this one needs no authentication at all. An attacker sends crafted RFC requests to vulnerable endpoints, and improper validation in the kernel leads to memory corruption. Unauthenticated, network-reachable memory corruption in the core application server is roughly the worst combination SAP can disclose, and it should move to the front of any patching queue.
Rounding out the critical four:
- CVE-2026-22732 (CVSS 9.1), a Spring Security issue affecting Commerce Cloud and SAP Data Hub.
- CVE-2026-40128 (CVSS 9.0), a directory traversal flaw in the Web Container of NetWeaver AS Java.
The long tail of high and medium fixes
Beyond the headline four, SAP closed two high-severity issues worth tracking. CVE-2026-29145 bundles multiple Apache Tomcat flaws that reach into Commerce Cloud, a reminder that a lot of SAP's exposure comes from the open-source components underneath the SAP-branded layer. CVE-2026-44751 is a missing authorization check in NetWeaver AS ABAP, the kind of bug that lets a user reach functionality they were never meant to touch.
The rest of the bulletin cleans up SQL injection, path traversal, cross-site scripting, email spoofing, and authorization bypass issues spread across multiple products. None of those are critical on their own, but they are the building blocks attackers chain together once they have a foothold, so they belong in the same patch wave.
As usual, the technical details, mitigation steps, and any available workarounds sit behind the SAP support portal and are only visible to customers with a security account. That gating is worth planning around. Your security team cannot read the advisories unless someone with portal access pulls them, so make sure the person tracking SAP Security Notes actually has the credentials before patch day, not after.
What to do this week
The practical sequence is straightforward. Inventory which systems run NetWeaver AS ABAP, NetWeaver AS Java, and Commerce Cloud, then map each against the four critical CVEs. Patch the unauthenticated memory corruption bug (CVE-2026-27671) and the SAML signature bypass (CVE-2026-44748) first, since those two carry both the highest scores and the most severe real-world impact.
For the SAML flaw specifically, anyone running SSO into SAP should treat the patch as the fix and not lean on network controls as a substitute. Signature wrapping happens after the request reaches the application, so a firewall in front of NetWeaver does nothing to stop it. If you cannot patch immediately, scrutinize authentication logs for assertions that do not match expected identity flows, and consider tightening which identity providers your verifier trusts.
For the unauthenticated RFC bug, restrict access to RFC endpoints at the network layer as a stopgap. RFC interfaces should never be broadly reachable from untrusted segments, and this CVE is a good prompt to audit who can actually talk to those endpoints today. That control buys time, but it is not a replacement for the kernel update.
SAP environments are notoriously slow to patch because they sit at the center of finance and operations, and downtime carries real business cost. That caution is understandable, but it is also exactly what attackers count on. A CVSS 9.8 unauthenticated bug and a CVSS 9.9 authentication bypass are not the place to apply the usual go-slow approach. Schedule the test cycle now, validate in a non-production tier, and get the critical four deployed before the proof-of-concept code that inevitably follows these disclosures shows up in the wild.
Comments
Please log in or register to join the discussion