SAP’s June 2026 security patch package drops 15 vulnerability fixes, including four critical-severity flaws hitting two of the company’s most widely deployed enterprise platforms: SAP NetWeaver and SAP Commerce Cloud.
If your organization runs SAP — and we’re talking about thousands of the world’s largest companies here — you need to look at this bulletin immediately. Two of these CVEs carry CVSS scores above 9.8, and one of them effectively lets attackers walk through the front door without legitimate credentials.
The Breakdown: Four Critical CVEs You Can’t Ignore
The headline vulnerability is CVE-2026-44748 (CVSS 9.9) — an XML Signature Wrapping flaw in SAP NetWeaver AS ABAP. In SAML-based authentication environments, an authenticated attacker with normal privileges can craft modified signed XML documents that the system still accepts as valid. The result? Bypassed identity checks, unauthorized access to sensitive user data, and potential disruption of normal operations.
Think about that for a moment. You don’t need admin rights. You don’t need to crack passwords. You just need a valid low-privilege account and know how to wrap an XML signature. That’s a terrifying attack surface for ERP systems running financial data, HR records, and supply chain intelligence.
Then there’s CVE-2026-27671 (CVSS 9.8) — a memory corruption flaw in the NetWeaver Application Server ABAP. Here’s what makes this one especially nasty: it requires no authentication at all. An attacker simply sends crafted RFC requests to vulnerable endpoints and leverages improper kernel validation to corrupt memory. No login, no credentials, no nothing.
Rounding out the critical tier: CVE-2026-22732 (CVSS 9.1), a Spring Security-related vulnerability in SAP Commerce Cloud and SAP Data Hub, and CVE-2026-40128 (CVSS 9.0), a directory traversal bug in the NetWeaver Application Server Java Web Container that could expose sensitive files.
Why This Matters Beyond SAP Shops
SAP NetWeaver isn’t some niche product. It’s the foundational middleware platform underpinning SAP ERP systems — the backbone of financial operations, supply chain management, and human resources at enterprises worldwide. Commerce Cloud (formerly Hybris) powers the online storefronts and digital sales channels for major B2B and B2C organizations.
A memory corruption flaw with no authentication requirement on middleware processing RFC requests? An XML signature bypass on the authentication layer? These aren’t theoretical risks. These are the kinds of vulnerabilities that, left unpatched, give attackers the keys to the kingdom.
The Full Scope
Beyond the critical CVEs, SAP also patched two high-severity issues: CVE-2026-29145 (multiple Apache Tomcat flaws in Commerce Cloud) and CVE-2026-44751 (missing authorization check in NetWeaver AS ABAP). The remaining fixes cover SQL injection, path traversal, cross-site scripting, email spoofing, and authorization bypasses across the SAP product portfolio.
Detailed mitigations and workarounds are available only to SAP customers with security portal access — a practice that continues drawing criticism for hiding critical vulnerability context from the broader security community.
What You Should Do
Priority one: patch CVE-2026-44748 and CVE-2026-27671 immediately. If you’re running SAML-based authentication on NetWeaver, the XML wrapping flaw should keep you up at night. If your NetWeaver ABAP servers are internet-facing or reachable from untrusted network segments, the unauthenticated memory corruption flaw is equally urgent.
For Commerce Cloud environments, prioritize the Spring Security fix (CVE-2026-22732). And directory traversal in a Java Web Container (CVE-2026-40128) is exactly the kind of simple, reliable exploit that automated scanning tools pick up fast.
What’s Next
With SAP’s security portal locked behind customer logins, expect the security community to reverse-engineer these patches aggressively. Watch for detailed technical writeups in the coming days — particularly for the unauthenticated RFC memory corruption bug, which has all the hallmarks of an exploit that will show up in the wild quickly.
If you’re an SAP customer and haven’t started testing these patches, the clock is already ticking.
