🎯SAP found serious security holes in its software that could let bad guys take control of important systems. They've released fixes, and it's super important for companies to install these updates right away to keep their data safe.
What Happened
In a significant security update, SAP released 20 new and updated security notes on its April 2026 Patch Day. Among these updates, two vulnerabilities were rated as critical, with CVE-2026-27681 being the most severe, scoring 9.9 on the CVSS scale. This vulnerability is a critical SQL injection flaw found in Business Planning and Consolidation and Business Warehouse, which could allow attackers to execute arbitrary code.
The vulnerable ABAP program permits a low-privileged user to upload a file containing arbitrary SQL statements that will then be executed. According to software security firm Onapsis, this flaw could enable attackers to read and tamper with data without user interaction, potentially leading to the extraction of sensitive financial data, alteration of reports, and even deletion or corruption of database content.
SAP has responded by completely deactivating the executable code associated with this vulnerability. Additionally, another high-severity vulnerability, CVE-2026-34256, involves a missing authorization check in ERP and S/4 HANA, which could allow unauthorized execution of ABAP programs.
Affected Products
The vulnerabilities impact a wide range of SAP products, including:
- SAP Business Planning and Consolidation and SAP Business Warehouse (versions HANABPC 810, BPC4HANA 300, SAP_BW 750-758, 816)
- SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise, versions SAP_FIN 618, 720, 730, and various S4CORE versions)
- SAP BusinessObjects Business Intelligence Platform (versions ENTERPRISE 430, 2025, 2027)
- SAP Human Capital Management for SAP S/4HANA (versions S4HCMRXX 100-102, SAP_HRRXX 600, 604, 608)
- SAP NetWeaver Application Server ABAP (multiple versions)
- SAP HANA Cockpit and HANA Database Explorer (version SAP_HANA_COCKPIT 2.0)
This extensive list indicates the broad impact of these vulnerabilities across SAP's ecosystem, affecting both on-premise and cloud deployments.
Why Should You Care
These vulnerabilities are not just a concern for large enterprises; any organization using SAP software is at risk. If exploited, attackers could gain unauthorized access to sensitive data, disrupt business operations, and cause significant financial losses. As Jonathan Stross from Pathlock notes, the consequences of such vulnerabilities can be severe, including the manipulation of critical business data.
Your company’s data security hinges on timely updates. Failing to patch these vulnerabilities could lead to data breaches and reputational damage, emphasizing the importance of proactive security measures.
What's Being Done
SAP is actively addressing these vulnerabilities and has released patches that customers need to apply immediately. Here’s what you should do:
- Visit the SAP Support Portal to access the new security notes.
- Prioritize patching the critical vulnerabilities first, especially CVE-2026-27681 and CVE-2026-34256.
- Ensure your IT team is aware of the updates and schedules the necessary maintenance.
Experts are closely monitoring the situation, as they expect attackers to attempt to exploit these vulnerabilities before patches are widely applied. Stay vigilant and proactive to protect your systems.
The extensive range of affected SAP products underscores the importance of regular security audits and timely updates to safeguard against potential exploits.
