SAP Patchday: One critical SQL injection vulnerability – and 18 others

On the April Patchday, SAP addresses vulnerabilities in various products with 19 new security notes. One of them is considered critical and allows attackers to inject SQL commands; another is considered highly risky. The company has classified the majority of the security holes as medium risk, and two even as low threat level.

The SAP Patchday Overview for April lists the individual vulnerabilities and associated CVE vulnerability entries. The most severe is an insufficient authorization check in SAP Business Planning and Consolidation and in SAP Business Warehouse, through which authenticated users can execute manipulated SQL statements to read, change, and delete database data (CVE-2026-27681, CVSS 9.9, Risk “critical”).

The developers consider a missing authorization check in SAP ERP and SAP S/4HANA, both in the private cloud and on-premise, to be highly risky. This allows authenticated attackers to execute a specific ABAP report and thereby unauthorizedly overwrite any existing eight-digit executable ABAP report. As a result, the originally intended function may no longer be available for overwritten reports (CVE-2026-34256, CVSS 7.1, Risk “high”).

Other SAP security vulnerabilities addressed

15 further security vulnerabilities are classified as medium risk. They affect

• SAP BusinessObjects Business Intelligence Platform
• SAP Human Capital Management for SAP S/4HANA
• SAP Business Analytics and SAP Content Management
• SAP S/4HANA OData Service (Manage Reference Equipment)
• SAP S/4HANA Backend OData Service (Manage Reference Structures)
• SAP S/4HANA Frontend OData Service (Manage Reference Structures)
• SAP Supplier Relationship Management (SICF Handler in SRM Catalog)
• SAP NetWeaver Application Server Java (Web Dynpro Java)
• SAP NetWeaver Application Server ABAP
• SAP HANA Cockpit and HANA Database Explorer
• SAP S/4HANA (private cloud and on-premise)
• Material Master Application
• SAP S/4HANA OData Service (Manage Technical Object Structures)
• SAP BusinessObjects Business Intelligence Platform

In addition, SAP has updated an older security note, SAP S4CORE (Manage Journal Entries), from November 2025. The two vulnerabilities classified as low-risk affect SAP NetWeaver Application Server ABAP and SAP Landscape Transformation.

IT managers should check if they are using the vulnerable software and apply the offered updates if necessary. On the SAP Patchday in March this year, SAP admins received patches to fix 15 vulnerabilities. Two of these were considered critical threats.

(dmk)