critical2026-07-14SAP ApprouterCVE-2026-27690

HTTP Request Smuggling in SAP Approuter

SAP Approuter (@sap/approuter npm)

Our Take

SAP Approuter is the authentication and routing gateway for SAP BTP and CAP applications — if your organisation has cloud-native SAP workloads, Approuter is almost certainly in the path. Unauthenticated HTTP request smuggling at CVSS 9.1 with no authentication required is an urgent fix. Coordinate with your BTP/cloud team immediately.

Vulnerability Detail

An HTTP request smuggling vulnerability in SAP Approuter allows an unauthenticated remote attacker to inject malicious HTTP requests that are interpreted differently by the Approuter and the upstream application server. This can be used to bypass security controls, hijack authenticated sessions, or poison server-side caches. Exploitable in non-Cloud Foundry deployment environments.

Workaround

Ensure Approuter is not directly internet-exposed without a hardened reverse proxy or WAF in front. Review proxy configuration for request normalisation settings.

Patch Action

Upgrade @sap/approuter to version 20.10.0 or higher. Apply SAP Note 3720138.

Affected Versions

@sap/approuter < 20.10.0 (non-Cloud Foundry environments)

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.1

SAP Note

3720138

CVE

CVE-2026-27690

Published

2026-07-14

← All patches