SAP patches 4 critical flaws up to CVSS 9.9 in NetWeaver and Commerce Cloud on June Patch Day
SAP's June 2026 Security Patch Day, released June 9, delivered 15 new security notes including four HotNews-rated vulnerabilities — an unusually critical batch for the ERP vendor.
At a glance
- SAP released 15 new security notes on June 9, 2026, including four HotNews-rated vulnerabilities
- CVE-2026-44748 (CVSS 9.9): XML Signature Wrapping flaw in SAML authentication for NetWeaver AS ABAP and ABAP Platform
- CVE-2026-27671 (CVSS 9.8): memory corruption in the AS ABAP kernel exploitable via crafted RFC requests without credentials
- CVE-2026-22732 (CVSS 9.1): Spring Security flaw affecting SAP Commerce Cloud and SAP Data Hub, unauthenticated remote exploitation
- CVE-2026-40128 (CVSS 9.0): directory traversal in NetWeaver AS Java Web Container
VERDICT — CONFIRMED
SAP's June 2026 Security Patch Day, released June 9, delivered 15 new security notes including four HotNews-rated vulnerabilities — an unusually critical batch for the ERP vendor. The most severe, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform that lets a low-privileged authenticated attacker obtain a valid signed message and transmit modified signed XML documents, enabling tampered identity assertions, unauthorized access to sensitive user data and privilege escalation across enterprise systems.
CVE-2026-27671 (CVSS 9.8) is a memory-corruption bug in the Application Server ABAP kernel triggered by specially crafted RFC requests that exploit improper protocol validation without any valid credentials. CVE-2026-22732 (CVSS 9.1) inherits a Spring Security framework vulnerability into SAP Commerce Cloud and SAP Data Hub, exploitable by unauthenticated remote attackers without user interaction, while CVE-2026-40128 (CVSS 9.0) is a directory traversal flaw in the NetWeaver Application Server Java Web Container exposing sensitive resources.
The release also comprises two High-priority notes, seven Medium and two Low, plus fixes for high-severity Apache Tomcat flaws in Commerce Cloud and a missing authorization check in NetWeaver. SAP urged customers to visit the Support Portal and apply the patches 'on priority.'
Why it matters
SAML-bypass and unauthenticated RFC memory-corruption flaws sit at the identity and protocol core of thousands of enterprise ERP landscapes, and SAP HotNews bugs have historically been weaponized within weeks of disclosure.
Key facts on file
- SAP released 15 new security notes on June 9, 2026, including four HotNews-rated vulnerabilities
- CVE-2026-44748 (CVSS 9.9): XML Signature Wrapping flaw in SAML authentication for NetWeaver AS ABAP and ABAP Platform
- CVE-2026-27671 (CVSS 9.8): memory corruption in the AS ABAP kernel exploitable via crafted RFC requests without credentials
- CVE-2026-22732 (CVSS 9.1): Spring Security flaw affecting SAP Commerce Cloud and SAP Data Hub, unauthenticated remote exploitation
- CVE-2026-40128 (CVSS 9.0): directory traversal in NetWeaver AS Java Web Container
- Release breakdown: 4 HotNews, 2 High, 7 Medium, 2 Low priority notes

