SAP released 26 security notes on February 11, 2026. This page covers confirmed critical and high severity notes sourced from NVD, Tenable, Pathlock, SecurityBridge, and CCB Belgium advisory AV26-107. Full list on the SAP Support Launchpad.

February 2026 · 26 notes released

Patch Archive

February 2026 SAP Security Patches

Critical and high severity notes from SAP Patch Tuesday February 11, 2026. All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

2

Critical (covered)

0

High (covered)

0

Medium (covered)

0

Low (covered)

T12026-02-11
SAP CRM / S/4HANA

SQL Injection via Generic Function Module in SAP CRM and SAP S/4HANA

An authenticated low-privileged user can exploit a flaw in a generic function module to execute arbitrary SQL statements directly against the database. Full read, modify, and delete access to database content is possible, enabling complete database compromise.

🔴Patch immediately
#3697099CVSS 9.9
T12026-02-11
SAP NetWeaver

Missing Authorization Check Allows RFC Background Calls Without S_RFC in SAP NetWeaver AS ABAP

Authenticated low-privileged users can perform background Remote Function Calls without possessing the required S_RFC authorization. This can allow unauthorized access to RFC-enabled function modules, potentially enabling modification of critical system functions and disruption of operations.

🔴Patch immediately
#3674774CVSS 9.6
← January 2026March 2026 →