SAP’s June 2026 Security Patch Day delivered four critical fixes across SAP NetWeaver AS ABAP, ABAP Platform, SAP NetWeaver Application Server Java, SAP Commerce Cloud, and SAP Data Hub, putting authentication, kernel, Java, and commerce environments on the remediation list.
The official page lists 15 new security notes and says customers should visit the support portal and apply patches on priority to protect their SAP landscapes. Onapsis counted 20 new and updated SAP security patches when updated notes are included, with six HotNews notes and three High Priority notes. SecurityBridge used the same overall count of 15 new notes and five in-between releases or updates.
The four new critical notes address an XML Signature Wrapping vulnerability in SAML authentication, a memory corruption vulnerability in Application Server ABAP, a Spring Security vulnerability affecting SAP Commerce Cloud and SAP Data Hub, and a directory traversal vulnerability in SAP NetWeaver Application Server Java.
The Center for Cybersecurity Belgium on June 9 also issued a warning urging organizations to patch vulnerable devices with the highest priority after testing. The agency said no active exploitation had been observed in the wild, but it also warned that patching prevents future exploitation and does not remediate historic compromise.
Analysis
What this means: SAP security teams need to prioritize by exposure, not only CVSS score. The June cycle affects identity, RFC kernel handling, Java web entry points, and customer-facing commerce services, which means remediation sequencing must reflect where systems are reachable and how deeply each component sits in the enterprise stack. For SAP Basis teams, CISOs, and ERP program leaders, the ABAP kernel and SAML trust-boundary notes deserve immediate review because they sit below many connected business processes.
SAML and Kernel Issues Hit ABAP Trust Controls
The highest-scoring issue is CVE-2026-44748, addressed by SAP Security Note 3746332 with a CVSS score of 9.9. SAP lists the vulnerability as XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform.
Onapsis said the vulnerability allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier. Because of improper XML signature verification, the manipulated identity information is accepted, potentially leading to unauthorized access to sensitive user data and disruption of normal system usage.
Layer Seven Security described the issue as a trust-boundary problem between XML signature verification and SAML identity consumption, making it relevant for systems using SSO, Web Service Security, or federated authentication. Onapsis and Layer Seven both said disabling SAML authentication is a temporary workaround, but the permanent fix is to apply the SAP-provided corrections or support packages.
CVE-2026-27671, addressed by SAP Security Note 3717897 with a CVSS score of 9.8, affects the SAP Kernel used by Application Server ABAP in SAP NetWeaver and ABAP Platform. SAP lists it as a memory corruption vulnerability.
Onapsis said the issue stems from improper validation of the RFC protocol, allowing an unauthenticated attacker to send a crafted RFC request that exploits logical errors in memory management. Layer Seven said successful exploitation could compromise confidentiality, integrity, and availability by enabling unauthorized data access, manipulation of application processing, service instability, or disruption.
SecurityBridge said the fix requires a kernel update and that there is no workaround. That makes the issue especially important for SAP Basis and security teams because remediation requires kernel patch planning rather than a configuration-only response.
Java and Commerce Cloud Add Internet-Facing Risk
CVE-2026-40128, addressed by SAP Security Note 3727078 with a CVSS score of 9.0, affects the Web Container component of SAP NetWeaver Application Server Java. SAP lists ENGINEAPI 7.50 as the affected version.
Onapsis said its researchers were able to craft a malicious HTTP logon request as an unauthenticated user that manipulates file inclusion parameters, enabling path traversal and processing of the included file. The result could allow an attacker to view or modify sensitive information or render part of the local system unavailable.
Layer Seven said no workaround is available, making the SAP-provided patches the only effective remediation. SecurityBridge also said there is no workaround and advised applying the patch, with FAQ Note 3758864 providing additional information.
CVE-2026-22732, addressed by SAP Security Note 3748262 with a CVSS score of 9.1, affects SAP Commerce Cloud and SAP Data Hub through Spring Security. SAP lists HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, 2211-JDK21, and DHUB_CLOUD 2211 as affected versions.
Onapsis said the affected applications use a version of Spring Security that could fail to write HTTP response headers under certain conditions, including important security headers. The issue can have high impact on confidentiality and integrity, with no impact on availability. Layer Seven added that SAP Commerce Cloud uses a multi-layer mechanism for setting HTTP security response headers, but may not provide a fallback for headers managed exclusively by Spring.
Layer Seven said SAP remediated the issue by upgrading Spring Security to non-vulnerable versions in SAP Commerce Patch Release 2205.50, SAP Commerce Cloud Public Cloud Update Releases 2211.52 and 2211-jdk21.10, and SAP Data Hub Patch Releases 2205.50 and 2211.52. SecurityBridge said there is no workaround, and Pathlock noted that SAP Commerce Cloud customers may need to rebuild and redeploy, then validate the corrected version in the running environment.
Analysis
What this means: Commerce Cloud patching reaches beyond note application. The Spring Security and Apache Tomcat issues show how SAP Commerce Cloud remediation can require release updates, rebuilds, redeployments, and validation in the running environment. For enterprise architects and implementation partners, the practical issue is customer-facing commerce platforms need patch pipelines that can move quickly without disrupting revenue-generating channels.
High Priority Notes Extend the Scope
Beyond the four new critical vulnerabilities, SAP’s June list includes High Priority fixes for SAP Commerce Cloud and SAP NetWeaver AS ABAP.
SAP Security Note 3747484, with a CVSS score of 7.4, addresses multiple Apache Tomcat vulnerabilities within SAP Commerce Cloud. Onapsis said the vulnerabilities affect certificate-based authentication and validation mechanisms and are tracked under CVE-2026-29145, CVE-2025-66614, and CVE-2026-24734.
SAP Security Note 3735546, with a CVSS score of 7.1, addresses a missing authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform. Onapsis said its researchers identified a program that allows a low-privileged authenticated attacker to overwrite information belonging to another user, resulting in privilege escalation.
Onapsis also noted that SAP Security Note 3732471, a High Priority OS command injection fix in SAP Forecasting & Replenishment originally released on SAP’s May Patch Day, was updated with additional correction instructions.
Updated HotNews Notes Keep Commerce and Build Toolchain in View
Two updated HotNews notes also matter for SAP teams reviewing the June cycle.
Onapsis said SAP Security Note 3733064, a CVSS 9.6 missing authentication check vulnerability in SAP Commerce Cloud configuration, was re-released with textual changes to the Symptom, Other Terms, Solution, and Workaround sections. SecurityBridge said the update did not introduce a new security risk beyond the earlier issue.
SAP Security Note 3747787, covering malicious open-source packages in SAP Cloud Application Programming Model and MTA Build Tool, was also updated. Onapsis said SAP added another malicious NPM package and additional hash keys identifying vulnerable versions. SecurityBridge said the CVSS score remains 0.0, but urged teams using NPM packages to check the latest note update.
Medium Severity Notes Matter for Integration, Data Exposure
The medium and low-priority notes are not the headline of the month, but they still affect important SAP attack-surface areas.
SAP Security Note 3751691 addresses a SQL injection vulnerability in SAP S/4HANA with a CVSS score of 6.5. Onapsis said its researchers identified a remote-enabled function module that could be exploited by an authenticated attacker to execute unauthorized database queries and access sensitive information.
SAP Security Note 3748819 addresses a missing caller identification check in ODP Data Replication APIs, with a CVSS score of 6.6. SecurityBridge said this note disables non-intended use of ODP Data Replication APIs, which are designed exclusively for data transfer between SAP applications. That makes the patch operationally relevant for teams that need to understand whether any custom or third-party integrations rely on those APIs.
Other June notes cover reflected XSS in SAP NetWeaver AS Java JDBC Test Servlet, XSS in SAP Wily Introscope Enterprise Manager, missing authorization in SAP MDG, email spoofing in SAP BusinessObjects BI Platform, path traversal in SAP Fiori launchpad, security misconfiguration in SAP BusinessObjects, and a potential Apache Log4j vulnerability in SAP NetWeaver AS Java.
Analysis
What this means: Integration behavior needs pre-patch mapping. The ODP Data Replication API note is not only a vulnerability fix; SecurityBridge’s analysis indicates it may disable API usage outside intended SAP-to-SAP transfer patterns. For system integrators and transformation teams, that makes interface discovery, RFC exposure review, SAML flow validation, and API dependency mapping part of the security patch process rather than separate architecture work.
