Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day July 2026 Fixes Critical NetWeaver CVE-2026-44747
Jul 14, 2026
9 Mins Read
Moon

SAP Security Patch Day July 2026 Fixes Critical NetWeaver CVE-2026-44747

On July 14, 2026, SAP released its monthly security updates, delivering 16 new Security Notes and one GitHub security advisory, alongside three updates to previously released notes. The release includes three new critical vulnerabilities and an update to a critical note first issued in June.

SAP Security Patch Day July 2026 addresses vulnerabilities across SAP NetWeaver, Approuter, Commerce Cloud, Integration Suite, SAProuter, S/4HANA, Fiori, CRM, and other products. The covered vulnerability classes include memory corruption, HTTP request smuggling, insecure sample credentials, directory traversal, DLL hijacking, open redirect, remote code execution, cross-site scripting, SQL injection, missing authorization checks, denial-of-service, and information disclosure.

The most severe issue this month is CVE-2026-44747, a memory corruption vulnerability in SAP NetWeaver Application Server ABAP with a CVSS score of 9.9. An authenticated attacker could exploit logical errors in memory management to access or modify data or make the affected system unavailable. The vulnerability has a high impact on confidentiality, integrity, and availability.

This release follows a busy June cycle. For information about last month’s fixes, including the critical SAML authentication vulnerability CVE-2026-44748, see our SAP Security Patch Day June 2026 coverage.

Which Critical Vulnerabilities Were Addressed in SAP Security Patch Day July 2026?

SAP Security Patch Day July 2026 addressed three new critical vulnerabilities and updated a critical Security Note originally released in June.

Security Note 3747367 Fixes CVE-2026-44747 in SAP NetWeaver AS ABAP

Security Note 3747367, with a CVSS score of 9.9, addresses the memory corruption vulnerability CVE-2026-44747 in SAP NetWeaver Application Server ABAP. The application server and its underlying kernel support many business-critical SAP applications and processes.

CVE-2026-44747 CVSS score on NVD

CVE-2026-44747 CVSS score on NVD

CVE-2026-44747 stems from an out-of-bounds write weakness tracked as CWE-787. An authenticated attacker with low privileges could exploit logical errors in memory management to trigger memory corruption. Successful exploitation could result in unauthorized data access, data modification, or system unavailability.

Affected versions include:

  • KRNL64NUC 7.22 and 7.22EXT
  • KRNL64UC 7.22, 7.22EXT, and 7.53
  • KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, and 9.20

Because the note covers several kernel branches, SAP administrators should compare the versions running across development, testing, and production systems against the complete affected-version list.

As a temporary workaround, SAP describes disabling ICF nodes with a specific property through transaction SICF. However, this measure also prevents users from opening transactions through SAP GUI for HTML, making it unsuitable for some environments. Applying the corrected ABAP kernel version remains the recommended remediation. The vulnerability was patched with support from Onapsis Research Labs.

Security Note 3720138 Fixes CVE-2026-27690 in SAP Approuter

Security Note 3720138, with a CVSS score of 9.1, addresses the HTTP request smuggling vulnerability CVE-2026-27690 in SAP Approuter.

SAP Approuter is a Node.js-based routing component used to direct requests to applications and services. The vulnerability affects SAP Approuter versions earlier than 20.10.0 and, according to Onapsis, applies to deployments in non-Cloud Foundry environments.

An unauthenticated attacker could send a specially crafted HTTP request that causes different components in the request path to disagree about where one request ends and another begins. This request-response desynchronization could expose responses belonging to other users or make the affected system unavailable. SAP’s CVSS assessment indicates high impact on confidentiality and availability, with no confirmed impact on integrity.

Organizations should upgrade the @sap/approuter package to version 20.10.0 or later. They should also verify the version actually deployed in production rather than relying only on the version declared in source control. Dependency lock files, container images, cached build artifacts, and bundled application packages can leave older versions running after a source-level update.

The July release also includes CVE-2026-44745, a separate high-severity open redirect vulnerability affecting SAP Approuter versions earlier than 21.2.0. Teams using Approuter should therefore evaluate both notes and consider moving to version 21.2.0 or later where compatible, rather than addressing only the request-smuggling issue.

No authoritative source reviewed for this update confirmed active exploitation or a reliable public proof-of-concept specifically targeting CVE-2026-27690 as of July 14, 2026. However, internet-facing Approuter deployments and environments with several HTTP-processing layers should receive priority because request-smuggling risks can depend heavily on the surrounding proxy, load balancer, CDN, and WAF configuration.

Security Note 3753495 Addresses CVE-2026-44761 in SAP Commerce Cloud

The third new critical vulnerability, CVE-2026-44761, has a CVSS score of 9.1 and affects SAP Commerce Cloud.

The issue involves a sample OAuth2 client created through configuration scripts previously provided in SAP Help Portal documentation. These development and testing examples used publicly documented sample credentials. If an organization executed the script and retained the resulting OAuth2 client in production without replacing its secret, an unauthenticated attacker could use the credentials to obtain a valid access token.

The token could then be used to invoke certain APIs and read or modify data. Successful exploitation has a high impact on confidentiality and integrity but does not directly affect availability. Affected releases include HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.

The presence of an affected product version does not automatically mean that the vulnerable OAuth2 client exists. Exploitation requires the sample script to have been executed and the original client secret to remain unchanged. Customers who removed the sample client or replaced its secret with a strong, unique value are not affected by this specific condition.

The Security Note updates SAP’s documentation rather than automatically removing the affected client from customer environments. Organizations must manually audit production systems, identify any OAuth2 clients created from the sample configuration, and remove them or replace the documented secret.

Updated Security Note 3727078 Covers CVE-2026-40128

SAP also updated Security Note 3727078, with a CVSS score of 9.0, which was originally released during the June 2026 Patch Day.

The note addresses CVE-2026-40128, a directory traversal vulnerability in the Web Container of SAP NetWeaver Application Server Java. The July update extends the fix to additional Support Packages.

An unauthenticated attacker could craft a malicious HTTP logon request that manipulates file-inclusion parameters. Processing the included file could allow the attacker to view or modify sensitive information or make part of the local system unavailable. The vulnerability affects ENGINEAPI 7.50.

Additional High-Severity SAP Security Notes

Beyond the critical fixes, SAP released six high-severity Security Notes in July.

Security Note 3758101, with a CVSS score of 8.8, addresses three Apache Camel vulnerabilities within SAP Integration Suite Edge Integration Cell:

  • CVE-2026-40860
  • CVE-2026-40453
  • CVE-2026-33454

The vulnerabilities involve unsafe deserialization and message-header injection in Apache Camel JMS and Mail components. Depending on the route configuration and accessible message channels, the underlying issues could allow malicious message content or headers to influence downstream processing and potentially lead to code execution or unauthorized file operations.

SAP resolved the issues in Edge Integration Cell version 8.43.11 and later, including controls that restrict deserialization to approved classes.

The remaining high-severity notes address:

  • CVE-2026-0487, a DLL hijacking vulnerability in SAProuter on Microsoft Windows
  • CVE-2026-44752, an XSS vulnerability in the SAP NetWeaver AS Java Configuration Wizard
  • CVE-2026-44745, an open redirect vulnerability in SAP Approuter
  • Multiple Apache Tomcat vulnerabilities in SAP Commerce Cloud
  • CVE-2026-58233, a remote code execution vulnerability in the SAP Change and Transport System Attach Tool

SAP has ended support for the affected ctsattach tool and recommends that customers stop using it and remove existing copies from their systems.

The medium- and low-severity notes cover additional XSS, SQL injection, authorization, path traversal, security misconfiguration, information disclosure, and third-party library issues across NetWeaver, S/4HANA, Fiori, CRM, and SAP HANA Extended Application Services.

What Should SAP Security Teams Do?

Organizations should begin by mapping the July notes to the versions and components actually running across their SAP environments. Source repositories and asset inventories may not reflect older kernels, embedded libraries, forgotten OAuth2 clients, or container images still active in production.

CVE-2026-44747 should receive immediate attention in environments running affected NetWeaver AS ABAP kernel versions. Where the temporary SICF workaround would interrupt SAP GUI for HTML workflows, teams should prioritize testing and deploying the corrected kernel rather than relying on the workaround for an extended period.

For SAP Approuter, upgrade vulnerable installations and verify the package version running inside deployed applications and containers. Teams should also document the complete HTTP request path, including CDNs, WAFs, reverse proxies, ingress controllers, and load balancers. After patching, monitor for unusual malformed-request errors, unexplained 4xx or 5xx spikes, and differences between edge and backend request logs.

SAP Commerce Cloud customers should audit production environments for OAuth2 clients created from SAP’s sample configuration. Any client retaining the documented sample secret should be removed or assigned a new, unique secret. Simply applying routine platform updates may not remove the insecure configuration.

No product-specific indicators of compromise have been published for the new July vulnerabilities. Organizations that suspect exploitation should review authentication activity, access to sensitive APIs, changes to business data, abnormal application errors, and privileged actions occurring behind affected SAP components.

For more information, see SAP’s official SAP Security Patch Day July 2026 bulletin.

To access details about individual vulnerabilities and follow developments such as exploitation activity, proof-of-concept releases, and hacker discussions, security teams can use SOCRadar’s Vulnerability Intelligence module.

Improve Your Security Posture With SOCRadar

Large SAP landscapes rarely map neatly onto a monthly patch bulletin. Multiple kernel versions, cloud and on-premises components, and third-party dependencies make it difficult to know which notes actually apply, and which exposed assets need attention first.

SOCRadar’s Attack Surface Management (ASM) module gives security teams continuous visibility into their digital footprint, surfacing internet-facing assets and potential exposure points before attackers find them. Timely alerts on threats targeting organizational assets help teams prioritize response where it matters most.

Take quick actions with SOCRadar’s Company Vulnerabilities through the ASM module

Take quick actions with SOCRadar’s Company Vulnerabilities through the ASM module

Complementing ASM, SOCRadar’s Vulnerability Intelligence tracks newly disclosed vulnerabilities, exploitation activity, and hacker trends specific to your environment, delivering customized alerts so critical issues never get lost in the noise.

With the Free Edition, you can explore the SOCRadar XTI platform’s features.