heise PlusAbo

SAP Patchday: Critical vulnerabilities allow unauthorized login

SAP addresses 15 new security vulnerabilities in May. Two are considered critical and allow unauthorized login or SQL injection.

listen Print view
Fragmented SAP logo, behind it a divided SAP Netweaver GUI

(Image: SAP, Collage heise online / dmk)

2 min. read
Security
By

Business software company SAP has released 15 new security notes for the May Patchday. The developers classify two of the vulnerabilities addressed as critical risks. Attackers can inject database commands via SQL injection or bypass authentication, for example.

On the SAP Patchday overview page, the company lists the individual security notes. In SAP S/4HANA (SAP Enterprise Search for ABAP), authenticated attackers can inject malicious SQL queries that are not sufficiently filtered. This allows them to gain unauthorized access to the underlying database or crash the SAP application (CVE-2026-34260, CVSS 9.6, Risk “critical”). An incorrect configuration of Spring Security in SAP Commerce Cloud also allows unauthenticated attackers to upload malicious configurations and inject code – leading to the execution of arbitrary code on the server side (CVE-2026-34263, CVSS 9.6, Risk “critical”).

SAP Patchday: 15 Security Notes

In SAP Forecasting & Replenishment, there is also a vulnerability that allows malicious actors to inject commands into the operating system (CVE-2026-34259, CVSS 8.2, Risk “high”). The remaining reports mostly represent a medium risk and affect:

  • SAP NetWeaver Application Server for ABAP and ABAP Platform,
  • SAP S/4HANA Condition Maintenance,
  • Business Server Pages Application (TAF_APPLAUNCHER),
  • SAP BusinessObjects Business Intelligence Platform,
  • SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard),
  • SAP Commerce Cloud (Apache Log4j),
  • SAPUI5 (Search UI),
  • SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages),
  • SAP Financial Consolidation,
  • SAP Incentive and Commission Management, and
  • SAP Application Server ABAP for SAP NetWeaver and ABAP Platform.

SAP is also addressing a low-threat vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library. IT managers should check if they are using vulnerable SAP software and apply the available patches promptly.

Videos by heise

The SAP Patchday in April was slightly more extensive: developers had to fix 19 vulnerabilities. One of them was considered critical and was also of the SQL injection type.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten