Monthly Digest

Patch Intelligence

April 2026 SAP Security Patches

Every SAP Security Note from Patch Tuesday, ranked by what actually matters to your landscape. Tier 1 products are in almost every SAP shop — missing a patch there is career-ending for BASIS admins.

8

patches this month

2

critical

4

high

2026-04-14

Patch Tuesday

T3No critical or high-severity patches in Tier 3 products this month (Commerce, IBP, Ariba, SuccessFactors, Concur).

Tier 1 — Mission Critical

5 patches

Products in virtually every SAP environment. Patch these first, every month.

T12026-04-14
SAP NetWeaver AS ABAP

Remote Code Execution via ICM HTTP Request Smuggling

The Internet Communication Manager (ICM) mishandles chunked transfer-encoding headers, allowing an unauthenticated attacker to smuggle a second request and execute arbitrary OS commands as <sid>adm. No authentication required.

🔴Patch immediately
#3479892CVSS 9.8
T12026-04-14
SAP HANA DB

Privilege Escalation via XS Advanced Container Runtime

An authenticated low-privilege user in the XS Advanced runtime can abuse a container lifecycle callback to inject commands that execute as the SYSTEM user. Affects HANA 2.0 SPS 07 and earlier.

🟠Within 2 weeks
#3481204CVSS 8.8
T12026-04-14
SAP S/4HANA

Missing Authorization Check in Purchase Order Approval API

The REST endpoint for programmatic PO approval does not validate object-level authorization. An authenticated user with Create Purchase Requisition access can approve their own orders up to any value.

🟠Within 2 weeks
#3477651CVSS 8.3
T12026-04-14
SAP Business Client

DLL Side-Loading via Malicious Update Server Response

The Business Client auto-update mechanism does not validate the integrity of downloaded DLL payloads. An attacker with network access between the client and update server can substitute a malicious DLL that executes with the user's privileges at next launch.

🟠Within 2 weeks
#3480115CVSS 7.5
T12026-04-14
SAP Fiori / UI5

Stored XSS in Launchpad Tile Configuration

Fiori Launchpad fails to sanitise tile subtitle text before rendering. An admin-level user can inject persistent JavaScript that executes in the browser context of any user who views the affected tile group.

🟡Next patch window
#3476390CVSS 6.4

Tier 2 — Notable This Month

3 patches

Real deployments with something worth acting on in April.

T22026-04-14
SAP Solution Manager

Unauthenticated Access to Diagnostics Agent RFC Interface

The Diagnostics Agent on managed systems exposes an RFC interface without authentication checks when called via SolMan's internal SOAP gateway. An attacker with network access to the SolMan host can invoke arbitrary RFMs on connected managed systems.

🔴Patch immediately
#3478833CVSS 9.1
T22026-04-14
SAP Web Dispatcher

HTTP/2 Request Smuggling Enables Backend Cache Poisoning

A flaw in the HTTP/2 to HTTP/1.1 downgrade path allows smuggled requests to be cached by the backend ICM as legitimate responses. Attackers can poison cached content served to subsequent users.

🟠Within 2 weeks
#3475902CVSS 7.4
T22026-04-14
SAP BTP

SSRF via Destination Service URL Validation Bypass

The BTP Destination Service fails to fully validate user-supplied target URLs, allowing a low-privilege BTP user to proxy requests to internal cloud infrastructure metadata endpoints.

🟡Next patch window
#3479001CVSS 6.8

Previous months