SAP patches critical flaws in Commerce Cloud and S/4HANA
▼ Summary
– SAP released May 2026 security patches for 15 vulnerabilities across multiple products.
– Two critical flaws were fixed in the Commerce Cloud e-commerce platform and the S/4HANA ERP suite.
SAP’s latest batch of security patches, released for May 2026, tackles 15 vulnerabilities spread across its product lineup. Among them, two critical flaws have been identified in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite. These updates arrive as part of the company’s ongoing commitment to fortifying its software against potential exploits.
The most severe issue, rated at 9.9 on the CVSS severity scale, resides in the Commerce Cloud platform. It involves a missing authorization check that could allow an attacker to escalate privileges or access sensitive data without proper credentials. For organizations relying on this system for online sales and customer engagement, the risk is substantial, as a successful exploitation could compromise transaction integrity or expose personal information.
Equally concerning is a critical flaw in S/4HANA, SAP’s flagship ERP solution. This vulnerability, scoring 9.1, stems from improper input validation in a specific component, opening the door for remote code execution. An unauthenticated attacker could potentially take control of affected systems, disrupt operations, or steal proprietary data. Given S/4HANA’s widespread use in finance, supply chain, and human resources, the potential for business disruption is significant.
Beyond these two, the remaining 13 vulnerabilities span a range of severity, from high to medium. They affect products like SAP NetWeaver, SAP BusinessObjects, and SAP Fiori, among others. Issues include cross-site scripting, SQL injection, and insufficient logging, each with the potential to undermine data integrity or system availability if left unpatched.
SAP recommends that customers prioritize applying the patches, especially for the critical flaws, to mitigate exposure. The company has also provided detailed notes on workarounds and configuration changes for environments where immediate patching isn’t feasible. As cyber threats evolve, staying current with these updates remains a cornerstone of enterprise security hygiene.
(Source: BleepingComputer)
