SAP Warns of Critical Flaws in NetWeaver and Commerce Cloud

▼ Summary
– SAP patched 16 vulnerabilities in July 2026, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter.
– A memory corruption bug (CVE-2026-44747) in NetWeaver AS ABAP allows authenticated attackers to access or modify data or cause system unavailability via out-of-bounds write.
– An HTTP Request Smuggling vulnerability (CVE-2026-27690) in SAP Approuter lets unauthenticated attackers access user responses or cause denial-of-service via crafted requests.
– A critical flaw in SAP Commerce Cloud (CVE-2026-44761) uses default credentials to let attackers obtain access tokens and read or modify data via APIs.
– The update also fixed 14 other flaws of varying severity, and since November 2021, CISA has added 14 SAP flaws to its exploited vulnerabilities catalog.
SAP has released its July 2026 security updates, patching 16 vulnerabilities across a range of products, with three flaws rated as critical. These affect NetWeaver, Commerce Cloud, and AppRouter.
The first critical vulnerability, tracked as CVE-2026-44747, involves a memory corruption issue in the NetWeaver Application Server ABAP (AS ABAP). This component serves as the runtime environment, application server, and development platform for core SAP enterprise software. The flaw stems from an out-of-bounds write weakness.
According to SAP, “SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability.” The company notes this issue has a high impact on confidentiality, integrity, and availability.
The second critical flaw, CVE-2026-27690, is an HTTP Request Smuggling vulnerability in SAP Approuter. This Node.js-based middleware library is designed for cloud-based applications running on the SAP Business Technology Platform (SAP BTP). Unauthenticated attackers can exploit this weakness by sending specially crafted HTTP requests, potentially accessing user responses and launching denial-of-service (DoS) attacks on the targeted system.
The third critical patch addresses CVE-2026-44761, found in the SAP Commerce Cloud enterprise e-commerce platform. This vulnerability arises from default credentials, which could allow attackers to obtain valid access tokens and then read or modify data through specific APIs.
Beyond the critical fixes, SAP’s July 2026 advisory covers six high-severity flaws, seven medium-severity issues, and one low-severity vulnerability. These include a range of attack vectors such as DLL hijacking, open redirect, missing authorization checks, remote code execution (RCE), cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations.
While SAP has not observed any active exploitation of these newly patched vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) has added 14 SAP security flaws to its Known Exploited Vulnerabilities (KEV) catalog since November 2021. Two of those were previously used by ransomware gangs.
In its June 2026 Security Patch package, SAP addressed 15 vulnerabilities. Additionally, attackers recently compromised multiple official SAP npm packages as part of a supply chain attack, targeting credentials from developers’ systems.
The German multinational software corporation, which reported total revenues exceeding €36 billion in fiscal year 2025, serves 99 of the world’s 100 largest companies.
(Source: BleepingComputer)



