SAP Security Patch Day April 2026: Critical Vulnerabilities, CVSS 9.9 SQL Injection, and Authorization Risks

SAP Security Patch Day April 2026 opened with a focused but high-impact release.

SAP issued 19 new Security Notes and one update, including a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse, and a high-severity authorization flaw affecting SAP ERP and SAP S/4HANA.

The mix of vulnerabilities spans core planning, data warehousing, and ERP execution layers. SAP classified one issue as critical and several as high priority, reinforcing the need for immediate review and prioritization across affected systems.

SAPinsider maintains a continuously updated SAP Security Patch Day risk analysis, which tracks monthly updates and explains how vulnerabilities affect enterprise risk.

Where Critical SAP Vulnerabilities Demand Attention

April’s most severe vulnerabilities affect systems close to financial planning and core transaction processing. The most critical issue, a SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse (CVSS 9.9), stems from insufficient authorization checks in an ABAP upload path.

An authenticated user can execute arbitrary SQL against backend databases, enabling direct access to planning and analytics data. These systems underpin consolidation, forecasting, and reporting processes. Unauthorized access can extend into financial data structures that feed downstream decision-making.

A separate high-priority issue in SAP ERP and SAP S/4HANA (CVSS 7.1) introduces a different form of exposure. SAP describes the vulnerability as a missing authorization check that allows an authenticated user to execute an ABAP program capable of overwriting existing executable reports. When those reports run, intended functionality becomes unavailable. This creates disruption across operational workflows.

Medium-priority notes widen the field of attention. A denial-of-service vulnerability in SAP BusinessObjects BI Platform and an information disclosure issue in SAP Human Capital Management for SAP S/4HANA extend exposure into reporting and HR systems.

These components are often shared across business units. Localized vulnerabilities can affect broader visibility into performance, compliance, and workforce data depending on how systems are configured and accessed.

How Practitioners Are Analyzing SAP Authorization Risks

Practitioner analysis adds detail to how these vulnerabilities are exploited and where exposure concentrates across SAP environments.

SecurityBridge explains how the SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse can be exploited through upload-related functionality. Insufficient authorization checks allow arbitrary SQL execution. The analysis focuses on exploitation paths and prioritization.

Pathlock extends that view across SAP ERP and SAP S/4HANA environments, emphasizing how missing authorization checks allow low-privileged users to affect application behavior. Its review highlights clusters of similar weaknesses in SAP S/4HANA services, including OData and backend functions, where insufficient access controls can permit unauthorized updates or actions depending on system configuration.

Layer Seven Security highlights how these vulnerabilities span both database and application layers. Its review of April’s notes includes issues affecting BusinessObjects BI Platform, SAP HCM for S/4HANA, and supporting services, reinforcing that exposure  extends across reporting, HR, and administrative surfaces.

Taken together, these perspectives point to a consistent pattern. April’s highest-risk vulnerabilities rely on authenticated users with low privileges and exploit gaps in authorization, shifting exposure toward internal pathways across SAP systems.