SAP’s June 2026 Security Patch Day showed how quickly ERP security risk can concentrate around the trust layers that keep enterprise systems operating: authentication, RFC communication, Java logon handling, commerce middleware, authorization, and developer tooling. It delivered 15 new Security Notes, matching May’s volume but carrying a sharper risk profile.
They concentrated around the mechanisms SAP systems use to establish trust: SAML authentication, RFC communication, Java logon handling, cloud middleware, and authorization. The broader June patch cycle also kept developer supply chain risk in view through an update to SAP Note 3747787.
June’s release stands out because the highest-severity notes sit in foundational parts of the SAP landscape, even though the overall note count was in line with May.
ABAP Identity and RFC Controls Carry the Highest Risk
June’s two highest-severity notes both affect SAP NetWeaver AS ABAP and ABAP Platform, but they reach the platform through different trust surfaces.
The first is XML Signature Wrapping in SAML Authentication (CVSS 9.9). Jonathan Stross, Senior Product Manager Cybersecurity R&I at Pathlock, described the flaw as broadly relevant wherever SAML is used for SAP authentication, adding that “in large estates, this is not an edge case; it is a core authentication control.” Layer Seven Security analysts similarly framed the issue around “the trust boundary between XML signature verification and SAML identity consumption,” making the risk relevant for environments that rely on single sign-on, federated identity, portal access, or Web Service Security.
The second is memory corruption in AS ABAP (CVSS 9.8). Stross placed this issue ahead of the higher-scored SAML note in its operational prioritization, arguing that the flaw “sits underneath many business controls” and represents a platform-level risk.
Layer Seven Security described it as a kernel-level RFC protocol handling vulnerability that can be triggered by an unauthenticated attacker through a crafted RFC request. Remediation also carries operational weight: the fix requires a kernel patch through SAP kernel archive updates, with no workaround available.
The June release asks SAP security teams to validate the trust paths that connect identity, communication, and access control across ABAP environments. A separate high-priority missing authorization check in AS ABAP (CVSS 7.1) adds to that pattern.
Java and Commerce Cloud Extend the Exposure
The remaining critical notes extend June’s trust-layer pattern beyond ABAP.
SAP NetWeaver AS Java is affected by a directory traversal vulnerability in the Web Container (CVSS 9.0). The issue can be triggered through crafted HTTP logon requests, making external reachability a key factor in remediation priority.
Stross described the vulnerability as “a perimeter and trust-boundary issue,” while Layer Seven Security identified externally reachable SAP NetWeaver AS Java logon endpoints as the highest-priority remediation target.
SAP Commerce Cloud faces a separate but related problem. June included a Spring Security vulnerability affecting SAP Commerce Cloud and SAP Data Hub (CVSS 9.1), along with multiple Apache Tomcat vulnerabilities in SAP Commerce Cloud (CVSS 7.4). Both point to third-party middleware exposure rather than a narrow SAP application defect.
Gert-Jan Koster, SAP Security specialist at SecurityBridge, connected that pattern to a recurring Patch Day issue, noting that “every patch cycle, we see vulnerabilities come by that are based on the use of insecure third-party libraries.”
June also follows a high-severity Commerce Cloud note from May. Koster pointed to a carryover update involving SAP Commerce Cloud missing authentication check, originally released in May and updated in June with textual changes. The pattern does not make Commerce Cloud uniquely exposed across SAP, but it does show why Commerce Cloud remediation needs clear ownership, sequencing, and validation.
Build Tooling Keeps Supply Chain Risk in Scope
Koster also raised SAP Note 3747787, which SAP updated after another malicious npm package was identified in the Mini Shai-Hulud software supply chain attack.
The note is not one of the 15 new June Security Notes, but it belongs in the broader June risk picture because it affects malicious open-source packages in SAP Cloud Application Programming Model and MTA Build Tool. The update illustrates why SAP security teams need visibility into how SAP applications are built, extended, and deployed.
What This Means for ERP Insiders
Trust controls define SAP patch priority. June’s SAML, RFC, Java logon, and authorization notes show ERP security exposure increasingly sits in the mechanisms that authenticate users, validate identity, connect systems, and enforce access. For enterprise architects, SAP Basis teams, and security leaders, remediation planning needs to prioritize the trust paths that sit beneath business processes, not only the applications users see.
Commerce Cloud remediation requires operational ownership. The Spring Security and Apache Tomcat issues show how customer-facing ERP-adjacent platforms can inherit risk from middleware and third-party components. For ERP program owners, systems integrators, and commerce leaders, patching needs to include release updates, rebuild or redeploy steps where required, and validation that the corrected runtime is actually in production.
Developer supply chain risk belongs in ERP governance. The updated Mini Shai-Hulud note keeps SAP build tools, open-source packages, credential stores, and CI/CD pipelines inside the enterprise security perimeter. For ERP vendors, partner teams, and transformation leaders, securing SAP no longer stops at production systems; it must stretch into how applications, extensions, and cloud services are built and deployed.
Editor’s note: A version of this article was originally published on SAPinsider on 6/10.
