June 2026 · 17 notes

Patch Archive

June 2026 SAP Security Patches

Every SAP Security Note from Patch Tuesday June 9, 2026, ranked by tier and CVSS score.

5

Critical

2

High

8

Medium

2

Low

Severity
Timing

Tier 1 · Always covered

9 patches

Products in virtually every SAP environment. Patch these first, every month.

T12026-06-09
SAP Cloud Application Programming Model

Malicious Open-Source Packages in SAP Cloud Application Programming Model

SAP identified malicious open-source NPM packages included as dependencies in the Cloud Application Programming Model (CAP) for Node.js. An attacker who can influence the dependency resolution or supply chain could cause the application to execute malicious code, with full confidentiality, integrity, and availability impact. SAP rates this CVSS 10.0 — the maximum score.

🔴Patch immediately
#3747787CVSS 10
T12026-06-09
SAP NetWeaver

XML Signature Wrapping in SAML Authentication of NetWeaver AS ABAP

An XML Signature Wrapping (XSW) vulnerability in the SAML Authentication component of SAP NetWeaver AS ABAP and ABAP Platform allows an authenticated attacker with low privileges to obtain a valid signed SAML message, modify the XML identity claims within the signed envelope, and replay it to the verifier. The verifier accepts the tampered document, granting the attacker access as any target user — including privileged accounts — without knowing their credentials.

🔴Patch immediately
#3746332CVSS 9.9
T12026-06-09
SAP NetWeaver

Memory Corruption via RFC Protocol in SAP Kernel (NetWeaver AS ABAP)

Improper validation of the RFC (Remote Function Call) protocol at the SAP Kernel level allows an unauthenticated remote attacker to send a specially crafted RFC request that exploits logical errors in the kernel's memory management. Successful exploitation causes memory corruption, which can lead to complete system compromise — arbitrary code execution, data exfiltration, and denial of service.

🔴Patch immediately
#3717897CVSS 9.8
T12026-06-09
SAP NetWeaver

Directory Traversal in SAP NetWeaver AS Java Web Container

A directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container (ENGINEAPI 7.50) allows an unauthenticated attacker to send malicious HTTP logon requests with manipulated file inclusion parameters. The attacker can traverse directory boundaries to access sensitive files on the server, potentially triggering denial of service conditions or extracting configuration and credential data.

🔴Patch immediately
#3727078CVSS 9
T12026-06-09
SAP NetWeaver

Missing Authorization Check in SAP NetWeaver ABAP Dictionary

Missing authorisation check in the ABAP Dictionary (BC-DWB-DIC-AC) component of SAP NetWeaver and ABAP Platform allows an authenticated attacker with low privileges to access or modify ABAP Dictionary objects beyond their intended permissions. The ABAP Dictionary is the central repository for data definitions — unauthorised write access could facilitate data manipulation or privilege escalation.

#3735546CVSS 7.1
T12026-06-09
SAP BW/4HANA

Missing Caller ID Check in SAP BW Operational Data Provisioning APIs

A missing caller identification check in the Operational Data Provisioning (ODP) APIs of SAP BW/4HANA and BW on HANA allows an authenticated attacker to invoke ODP APIs without proper caller verification, potentially accessing or manipulating data extraction pipelines and underlying data sources.

#3748819CVSS 6.6
T12026-06-09
SAP S/4HANA

SQL Injection in SAP S/4HANA Self-Service Procurement

SQL injection vulnerability in a remote-enabled function module within the SAP S/4HANA Self-Service Procurement component. An authenticated attacker can inject SQL statements through unsanitised input, potentially accessing or modifying procurement data beyond their authorisation.

#3751691CVSS 6.5
T12026-06-09
SAP Gateway

Information Disclosure in SAP Gateway OData V4

An information disclosure vulnerability in the SAP Gateway OData V4 component allows an authenticated attacker to access metadata or response content that they should not be authorised to view, potentially exposing backend data model details or sensitive business data.

#3433366CVSS 4.3
T12026-06-09
SAP Fiori

Path Traversal in SAP Fiori Launchpad

A path traversal vulnerability in the SAP Fiori Launchpad allows an authenticated attacker to manipulate file path parameters to access resources outside the intended directory scope. Exploiting this flaw could expose configuration files or internal application data.

#3682699CVSS 4.2

Tier 2 · Covered when notable

7 patches

Products with real deployments that have something worth acting on this month.

T22026-06-09
SAP Commerce Cloud

Spring Security HTTP Header Vulnerability in SAP Commerce Cloud and Data Hub

A vulnerability in the Spring Security framework — originally disclosed by VMware/Broadcom in early 2026 — affects SAP Commerce Cloud and SAP Data Hub. Incorrect HTTP security header handling in Spring Security allows an attacker to bypass security controls, with high impact on confidentiality and integrity. The underlying Spring Security flaw carries a CVSS of 9.1.

🔴Patch immediately
#3748262CVSS 9.1
T22026-06-09
SAP Commerce Cloud

Apache Tomcat Vulnerabilities in SAP Commerce Cloud

Multiple Apache Tomcat vulnerabilities (CVE-2026-29145, CVE-2025-66614, CVE-2026-24734) bundled in the SAP Commerce Cloud embedded Tomcat server. The vulnerabilities allow unauthenticated attackers to exploit weaknesses in the Tomcat server including certificate validation bypass and other server-side flaws. High impact on confidentiality and integrity.

#3747484CVSS 7.4
T22026-06-09
SAP NetWeaver

Reflected XSS in SAP NetWeaver AS Java JDBC Test Servlet

Reflected cross-site scripting vulnerability in the JDBC Test Servlet of the BW Business Explorer component in SAP NetWeaver AS Java. An attacker can craft a malicious URL that, when visited by an authenticated user, executes scripts in the victim's browser context — enabling session hijacking, phishing, or credential theft.

#3723655CVSS 6.1
T22026-06-09
SAP BusinessObjects

Email Spoofing in SAP BusinessObjects BI Platform

An email spoofing vulnerability in the SAP BusinessObjects BI Platform allows an attacker to send email notifications that appear to originate from the BI platform but contain attacker-controlled content, potentially used for phishing or social engineering attacks against BI users.

#3687096CVSS 4.3
T22026-06-09
SAP MDG

Missing Authorization Check in SAP Master Data Governance Review Match Groups

Missing authorisation check in the Review Match Groups functionality of SAP Master Data Governance allows an authenticated user to view or modify match group reviews beyond their intended access scope, potentially impacting master data integrity in key domains such as Business Partner, Material, or Customer.

#3673181CVSS 4.3
T22026-06-09
SAP BusinessObjects

Security Misconfiguration in SAP BusinessObjects Central Management Console

A security misconfiguration in the Central Management Console of SAP BusinessObjects BI Platform exposes sensitive configuration or session information that could be leveraged by an attacker to gain further access.

#3706000CVSS 3.7
T22026-06-09
SAP NetWeaver

Apache Log4j Vulnerability in SAP NetWeaver AS Java UME

Apache Log4j vulnerability in the User Management Engine (UME) component of SAP NetWeaver Application Server Java. While low severity in this context, Log4j vulnerabilities in SAP Java components should be addressed as part of routine dependency hygiene.

#3726899CVSS 3.3