SAP Patchday: Developers fix 17 security vulnerabilities in January

On the January 2026 Patchday, SAP released 17 new security notes. They address four security vulnerabilities in its business software classified as critical risks and four as high risks.

The SAP Patchday Overview lists the individual advisories. The most severe is a SQL injection vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials - General Ledger) (CVE-2026-0501, CVSS 9.9, Risk “critical”). In SAP Wily Introscope Enterprise Manager (WorkStation), attackers from the network can inject malicious code (CVE-2026-0500, CVSS 9.6, Risk “critical”). Additionally, malicious actors can inject their code in SAP S/4HANA (Private Cloud and On-Premise) (CVE-2026-0498, CVSS 9.1, Risk “critical”). A similar vulnerability affects SAP Landscape Transformation (CVE-2026-0491, CVSS 9.1, Risk “critical”).

High-risk SAP vulnerabilities

In the SAP HANA database, attackers can also exploit a privilege escalation vulnerability (CVE-2026-0492, CVSS 8.8, Risk “high”). In SAP Application Server for ABAP and SAP NetWeaver RFCSDK, they can inject commands into the operating system (CVE-2026-0507, CVSS 8.4, Risk “high”). The SAP Fiori App (Intercompany Balance Reconciliation) contains three security vulnerabilities, at least one of which is classified as a “high” risk with a CVSS score of 8.1 (CVE-2026-0511, CVE-2026-0496, CVE-2026-0495). Finally, SAP reports a missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (CVE-2026-0506, CVSS 8.1, Risk “high”).

Seven additional vulnerabilities have been classified by SAP's developers as medium risk. They also consider two security vulnerabilities to be of low threat level.

IT managers should apply the available updates promptly to reduce the attack surface of their IT landscape. On the past Patchday in December 2025, SAP released 14 security notes. Three of them were classified as critical security risks.

(dmk)