critical2026-05-12SAP S/4HANACVE-2026-34260

SQL Injection in SAP S/4HANA Enterprise Search

SAP S/4HANA (Enterprise Search for ABAP)

Our Take

CVSS 9.6 with a low-privilege exploit path against the S/4HANA Enterprise Search component. The version coverage spans nearly every modern SAP_BASIS release, meaning most S/4HANA shops are exposed. This is your weekend task — direct SQL injection on a production database is the worst kind of vulnerability, and the bar to exploit it is "any authenticated user".

Vulnerability Detail

Unsanitised user input is concatenated directly into SQL queries in the Enterprise Search component, allowing an authenticated attacker to inject arbitrary SQL statements. Impact is primarily on confidentiality and availability — unauthorised database access and information disclosure are possible.

Patch Action

Apply SAP Note 3724838.

Affected Versions

SAP_BASIS 751

752

753

754

755

756

757

758

816

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.6

SAP Note

3724838 ↗

CVE

CVE-2026-34260

Published

2026-05-12

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches