SAP July 2026 Patches: 9.9 CVSS NetWeaver Flaw, 2 More Critical Fixes
Key Takeaways
- SAP's July 2026 security update addresses three critical vulnerabilities, including a 9.9-rated memory corruption in NetWeaver AS ABAP.
- The flaws could allow attackers to access sensitive data, disrupt operations, or hijack sessions.
- Security teams must prioritize patching, with workarounds available for immediate risk mitigation.
Mentioned
Key Intelligence
Key Facts
- 1SAP released 19 new and updated security notes on its July 2026 patch day, covering critical to low-severity vulnerabilities.
- 2CVE-2026-44747 (CVSS 9.9) is a memory corruption in NetWeaver Application Server ABAP that allows data access, modification, and system unavailability by an authenticated attacker.
- 3CVE-2026-27690 (CVSS 9.1) enables unauthenticated HTTP Request Smuggling in SAP Approuter, leading to request-response desynchronization and potential data exposure.
- 4CVE-2026-44761 (CVSS 9.1) stems from hardcoded credentials in Commerce Cloud sample scripts, permitting unauthorized API access if the OAuth2 client secret is not changed post-testing.
- 5SAP provides a workaround for the NetWeaver flaw: disable all ICF nodes with a specific property in transaction SICF.
- 6CISA has previously added 14 SAP vulnerabilities to its Known Exploited Vulnerabilities catalog, though no active exploitation of the new July 2026 flaws has been confirmed.
CVE-2026-44747 - Memory corruption in NetWeaver AS ABAP
Who's Affected
Analysis
For cybersecurity professionals, SAP's patch day delivers a stark reminder of the risk in core enterprise systems. A 9.9 CVSS vulnerability in NetWeaver allows authenticated attackers to corrupt memory, potentially compromising entire SAP landscapes. With two additional 9.1-rated critical flaws, the urgency to apply these patches or implement workarounds cannot be overstated.
What to Watch
SAP's July 2026 Patch Day delivered a critical wake-up call for the enterprise IT world, releasing 19 new and updated security notes that address a trio of critical vulnerabilities across its core product suite. The most severe, CVE-2026-44747, carries a near-maximum CVSS score of 9.9 and affects NetWeaver Application Server ABAP—the runtime environment underpinning a vast array of SAP business applications. This memory corruption bug, stemming from an out-of-bounds write weakness, allows an authenticated attacker to abuse logical errors in memory management to access, modify, or deny service to mission-critical systems. Onapsis, a leading SAP security firm, emphasizes that successful exploitation compromises confidentiality, integrity, and availability entirely. While a patch is the definitive fix, SAP also provides a temporary workaround: disabling all ICF nodes with a specific property in transaction SICF. The second critical flaw, CVE-2026-27690 (CVSS 9.1), is an HTTP Request Smuggling vulnerability in Approuter, the Node.js middleware library that routes traffic for cloud-based SAP applications on the Business Technology Platform. In non-Cloud Foundry deployments, an unauthenticated attacker can send a specially crafted HTTP request to desynchronize responses, gaining access to other users' responses and triggering denial-of-service attacks. This is particularly concerning for organizations running hybrid cloud environments where Approuter bridges on-premises and cloud services. The third critical issue, CVE-2026-44761 (CVSS 9.1), was found in SAP Commerce Cloud and involves hardcoded credentials in sample configuration scripts previously provided for development and testing. These scripts configure OAuth2 clients with known secrets; if a customer runs the sample script and accidentally retains the resulting OAuth2 client in production without replacing the hardcoded secret, an unauthenticated attacker can obtain a valid access token. That token enables them to invoke specific APIs and read or tamper with system data. Crucially, customers who removed the sample client or replaced the secret with a unique, strong value are unaffected, making this a classic configuration hygiene issue. Beyond the three critical bugs, SAP's July 2026 advisory includes six high-severity flaws, seven medium, and one low—encompassing DLL hijacking, open redirects, missing authorization checks, remote code execution, cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations. The breadth of these weaknesses underscores the persistent attack surface within monolithic and cloud-native SAP landscapes. Contextually, the enterprise software giant has seen growing attention from threat actors and regulatory bodies. CISA previously added 14 SAP security flaws to its Known Exploited Vulnerabilities (KEV) catalog, though SAP states it has not found evidence that the newly disclosed July 2026 vulnerabilities have been exploited in the wild. That does not diminish the urgency, as security researchers note that SAP vulnerabilities, once disclosed, quickly attract scanning and exploit attempts. With tens of thousands of organizations globally running SAP for finance, supply chain, HR, and manufacturing, any unpatched system represents a potential entry point for data theft, ransomware, or sabotage. The patch day also highlights the ongoing shift in attack techniques from simple perimeter exploits to more nuanced application-layer attacks like HTTP smuggling and memory corruption. For defenders, the immediate priority is to inventory NetWeaver ABAP, Approuter, and Commerce Cloud instances and assess exposure. The Approuter flaw, in particular, may affect organizations that migrated to SAP BTP but retained older, non-Cloud Foundry deployment models. The Commerce Cloud hardcoded credential issue, while confined to a specific misconfiguration, could be widespread given the common practice of using sample scripts in development without proper cleanup. Overall, the July 2026 patch set reinforces the need for a routine, rapid patch management cadence paired with verification that production systems are free of default or sample configurations. As SAP continues to evolve its platform, the security community will be watching closely for how quickly these critical patches are adopted and whether exploit attempts emerge in the weeks ahead.
Sources
Sources
Based on 2 source articles- SecurityWeekSAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudJul 14, 2026
- BleepingComputerSAP warns of critical flaws in NetWeaver and Commerce CloudJul 14, 2026
Cite This Page
"SAP July 2026 Patches: 9.9 CVSS NetWeaver Flaw, 2 More Critical Fixes." Cyber Intelligence Brief, July 14, 2026. https://getcyberbrief.com/story/sap-july-2026-patches-critical-netweaver-9-9-cvss
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |