SAP Patches Critical ABAP Vulnerability
The company has released 19 new security notes addressing flaws in over a dozen enterprise products.
Aggregated from SecurityWeek
This article was automatically aggregated from an external source. Content may be summarized.
Full Analysis
SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day.
The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution.
“The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains.
According to Pathlock senior product manager Jonathan Stross, the upload functionality could be exploited for direct database abuse, allowing an attacker to read and tamper with data without user interaction.
“In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption,” Stross said.
According to Onapsis, SAP resolved the issue by completely deactivating the executable code.
Advertisement. Scroll to continue reading.
On Tuesday, SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.
Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure, denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content, or code execution in the victim’s browser.
The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application, and S4CORE.
The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.
SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the security notes as soon as possible.
Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities
Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities
Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
Related: SAP Patches Critical Vulnerabilities With December 2025 Security Updates
Originally published by SecurityWeek
Original Source
SecurityWeek