SAP released 26 security notes on February 11, 2026. This page covers confirmed critical and high severity notes sourced from NVD, Tenable, Pathlock, SecurityBridge, and CCB Belgium advisory AV26-107. Full list on the SAP Support Launchpad.

February 2026 · 26 notes released

Patch Archive

February 2026 SAP Security Patches

Critical and high severity notes from SAP Patch Tuesday February 11, 2026. Timing recommendations are editorial — verify against official SAP Security Notes before acting.

2

Critical (covered)

0

High (covered)

0

Medium (covered)

0

Low (covered)

T12026-02-11
SAP CRM / S/4HANA

SQL Injection via Generic Function Module in SAP CRM and SAP S/4HANA

An authenticated low-privileged user can exploit a flaw in a generic function module to execute arbitrary SQL statements directly against the database. Full read, modify, and delete access to database content is possible, enabling complete database compromise.

🔴Patch immediately
#3697099CVSS 9.9
T12026-02-11
SAP NetWeaver

Missing Authorization Check Allows RFC Background Calls Without S_RFC in SAP NetWeaver AS ABAP

Authenticated low-privileged users can perform background Remote Function Calls without possessing the required S_RFC authorization. This can allow unauthorized access to RFC-enabled function modules, potentially enabling modification of critical system functions and disruption of operations.

🔴Patch immediately
#3674774CVSS 9.6
← January 2026March 2026 →