SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass

On June 9, 2026, SAP released its monthly security updates, which included 15 new Security Notes addressing vulnerabilities across several SAP products.

SAP Security Patch Day June 2026 updates cover a broad range of vulnerability types that could put SAP environments at risk. These include XML Signature Wrapping, Memory Corruption, Directory Traversal, SQL Injection, Cross-Site Scripting (XSS), Missing Authorization Checks, and Email Spoofing. Each of these presents distinct risks that could disrupt enterprise operations if left unpatched.

A standout issue in this cycle is CVE-2026-44748, a SAML authentication bypass flaw with a CVSS score of 9.9. If exploited, this vulnerability could allow an attacker to forge identity information and gain unauthorized access to sensitive data across trust boundaries.

Which Critical Vulnerabilities Were Addressed in SAP Security Patch Day June 2026?

SAP Security Patch Day June 2026 addressed four critical-severity vulnerabilities with the following security notes:

Security Note #3746332 (CVSS: 9.9) – XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform

Security Note #3746332 (CVSS: 9.9) addresses a critical XML Signature Wrapping vulnerability in SAML authentication, tracked as CVE-2026-44748, affecting SAP NetWeaver Application Server ABAP and ABAP Platform.

CVE-2026-44748 allows an authenticated attacker with normal privileges to obtain a valid signed SAML message and then modify the XML structure before sending it to the verifier. Because the verifier fails to properly validate the cryptographic signature against the full XML document, it may accept tampered identity information. This can lead to unauthorized access to sensitive user data, privilege escalation, and disruption of normal system operations.

The root cause is improper verification of cryptographic signatures (CWE-347). The flaw is especially relevant for organizations relying on SSO, federated authentication, or Web Service Security, since those configurations depend on the integrity of signed SAML assertions.

This vulnerability affects SAP_BASIS versions 702 through 919, making its patch footprint very wide. As a temporary mitigation, administrators can disable SAML authentication, though this approach does not cover all signed XML use cases and may disrupt SSO workflows.

Security Note #3717897 (CVSS: 9.8) – Memory Corruption Vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Security Note #3717897 (CVSS: 9.8) addresses a memory corruption vulnerability, tracked as CVE-2026-27671, in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform.

CVE-2026-27671 stems from improper validation of the RFC (Remote Function Call) protocol at the kernel level. An unauthenticated attacker can send a specially crafted RFC request that exploits logical errors in memory management, leading to stack-based buffer overflow conditions (CWE-121). Successful exploitation could result in application crashes, unauthorized data access, or arbitrary code execution.

What makes this vulnerability particularly dangerous is that it requires no authentication and no user interaction. CISA’s ADP assessment also flagged this flaw as automatable, meaning attackers could exploit it at scale without manual effort. This combination of factors makes CVE-2026-27671 one of the most urgent patches in this cycle.

Affected components span multiple kernel versions, including KRNL64NUC 7.22 and 7.22EXT, KRNL64UC 7.22, 7.22EXT, and 7.53, and KERNEL versions 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, and 9.19. SAP has addressed the issue through improved RFC protocol validation, and remediation requires applying the latest kernel patch level.

Security Note #3748262 (CVSS: 9.1) – Spring Security Vulnerability within SAP Commerce Cloud and SAP Data Hub

Security Note #3748262 (CVSS: 9.1) addresses a critical Spring Security vulnerability, tracked as CVE-2026-22732, affecting SAP Commerce Cloud and SAP Data Hub.

CVE-2026-22732 is an external library vulnerability originating in the Spring Security framework. When servlet applications use Spring Security’s default lazy writing mode for HTTP response headers, certain request paths can finalize the HTTP response before Spring Security writes the required security headers. As a result, responses may be delivered without protections like cache control, content security policy, or other browser-side security controls.

This opens up applications to various attacks, including sensitive data exposure through caching mechanisms and advanced connection hijacking. The flaw was originally disclosed by VMware/Broadcom in March 2026 and carries a CVSS score of 9.1, with high impact on both confidentiality and integrity.

The vulnerability affects a wide range of Spring Security versions: 5.7.0 through 5.7.21, 5.8.0 through 5.8.23, 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.8, and 7.0.0 through 7.0.3.

In the SAP context, the affected products are SAP Commerce Cloud (HY_COM 2205, COM_CLOUD 2211, 2211-JDK21) and SAP Data Hub (HY_DHUB 2205, DHUB_CLOUD 2211).

The upstream Spring advisory describes setting the HeaderWriterFilter.shouldWriteHeadersEagerly property to true as a workaround, though it may change application behavior. However, SAP’s own note for this vulnerability states that no workaround is available for the affected SAP products, since customers cannot easily toggle that property inside Commerce Cloud or Data Hub deployments. Patching is the recommended path.

Security Note #3727078 (CVSS: 9.0) – Directory Traversal Vulnerability in SAP NetWeaver Application Server Java (Web Container)

Security Note #3727078 (CVSS: 9.0) addresses a directory traversal vulnerability, tracked as CVE-2026-40128, in the Web Container of SAP NetWeaver Application Server Java.

CVE-2026-40128 allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters. By using path traversal sequences (CWE-35), the attacker can escape the intended application directory and force the server to process an included file. This could allow the attacker to view or modify sensitive information, or render parts of the local system unavailable.

The vulnerability affects ENGINEAPI version 7.50. While the attack complexity is rated high (meaning exploitation requires specific conditions to be met), the potential impact is severe across confidentiality, integrity, and availability. The scope is also changed, meaning a successful exploit can affect resources beyond the vulnerable component.

Additional High and Medium Severity Notes

Beyond the four critical security notes, SAP also released two new high-severity notes in this cycle.

Security Note #3747484 (CVSS: 7.4) addresses multiple Apache Tomcat vulnerabilities (CVE-2026-29145, CVE-2025-66614, CVE-2026-24734) within SAP Commerce Cloud. These affect embedded Tomcat server components, particularly around certificate-based authentication and validation mechanisms, and could allow attackers to exploit weaknesses in the underlying application server.

Security Note #3735546 (CVSS: 7.1) patches a Missing Authorization Check (CVE-2026-44751) in the Application Server ABAP of SAP NetWeaver and ABAP Platform, spanning SAP_BASIS versions 700 through 816.

The remaining notes address medium and low severity issues across several products, including a missing caller identification check for ODP Data Replication APIs (CVE-2026-44754, CVSS: 6.6), an SQL Injection flaw in SAP S/4HANA (CVE-2026-44744, CVSS: 6.5), XSS vulnerabilities in SAP NetWeaver AS Java and SAP Wily Introscope Enterprise Manager, missing authorization checks in SAP MDG, email spoofing in SAP BusinessObjects BI Platform, a path traversal issue in SAP Fiori, a security misconfiguration in SAP BusinessObjects, and a potential Apache Log4j library vulnerability in SAP NetWeaver AS Java.

For more information, see SAP’s official security notes: SAP Security Patch Day June 2026.

To access details on any vulnerability and track related activities such as exploitation and hacker trends, you can use SOCRadar’s Vulnerability Intelligence module.

SOCRadar’s Vulnerability Intelligence can monitor new vulnerabilities and hacker trends for your organization, providing every detail.

Improve Your Security Posture with SOCRadar

Keeping up with monthly security patches across large SAP landscapes can be a serious operational burden, especially when multiple critical vulnerabilities land in a single cycle. Without the right tools, security teams risk falling behind on the patches that matter most.

SOCRadar’s Attack Surface Management (ASM) module helps organizations maintain visibility over their digital footprint and potential exposure points. By providing timely alerts about threats targeting organizational assets, ASM enables security teams to prioritize response and stay ahead of emerging risks.

View Company Vulnerabilities and take quick actions through the ASM module (SOCRadar)

Beyond surface monitoring, SOCRadar’s Vulnerability Intelligence feature offers an in-depth view of emerging threats and exploitable vulnerabilities specific to your environment. It tracks the latest security vulnerabilities, delivers customized alerts, and allows organizations to focus on the most critical issues first.

Integrating SOCRadar’s tools into your security operations can change how threats are managed, from mapping your attack surface to receiving targeted alerts that match your specific needs.

With the Free Edition, you can explore the SOCRadar XTI platform’s features.