SAP’s May 2026 Security Patch Day was moderate in volume but broad in exposure.
SAP issued 15 new Security Notes on May 12, including two critical notes, one high-priority note, eleven medium notes, and one low note. The highest-severity vulnerabilities affected SAP S/4HANA Enterprise Search for ABAP and SAP Commerce Cloud, while a high-priority issue in SAP Forecasting & Replenishment added operational planning risk.
May’s risk profile reached core ERP search, internet-facing commerce, supply chain planning, and SAP-adjacent developer tooling. It also showed why SAP teams need both official Patch Day guidance and trusted vendor intelligence when supply-chain issues can reach development systems, credentials, and build environments.
Critical SAP Vulnerabilities Reach Business Operations
May’s two critical vulnerabilities affected different parts of the SAP estate.
The first was a SQL injection vulnerability in SAP S/4HANA Enterprise Search for ABAP, rated at CVSS 9.6. The CVE record says an authenticated attacker with low privileges could inject malicious SQL statements through user-controlled input.
That makes the vulnerability a core ERP data-access issue. Enterprise Search sits close to the way users find and retrieve business information in SAP S/4HANA, so the risk can affect confidentiality and availability across business processes that depend on ERP data.
The second critical issue was a missing authentication check in SAP Commerce Cloud configuration, also rated at CVSS 9.6. The CVE record says improper Spring Security configuration could allow an unauthenticated user to upload malicious configuration content and inject code, resulting in arbitrary server-side code execution.
MindFore CEO Laxman Bolineni framed both issues in business terms. He tied the SAP S/4HANA issue to sensitive business data and placed the Commerce Cloud vulnerability closer to storefront operations, customer data, integrations, and availability. That distinction matters because May’s critical notes create different exposures: one reaches into ERP data access, while the other reaches customer-facing commerce operations.
Business context should shape patch order. The same CVSS score can mask different operating risks, so SAP teams should weigh each vulnerability against revenue exposure, data sensitivity, and recovery complexity.
Analysis
What This Means for ERP Insiders
Business context should shape patch order. The same CVSS score can mask different operating risks, so SAP teams should weigh each vulnerability against revenue exposure, data sensitivity, and recovery complexity.
SAP Patch Triage Needs Operational Context
The high-priority issue in SAP Forecasting & Replenishment shows why severity labels need more than a score. The vulnerability is an OS command injection issue rated at CVSS 8.2. The CVE record says an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Exploitation could let the attacker read or modify data or shut down the system.
That risk profile differs from the two critical notes. It requires elevated privileges and is not remotely enabled, but the possible impact remains severe because Forecasting & Replenishment supports planning processes tied to inventory, replenishment, and supply chain continuity. A lower score does not make the issue operationally minor.
Layer Seven Security added practical remediation detail across the main product vulnerabilities. It said SAP addressed the SAP S/4HANA SQL injection issue through input validation, the Commerce Cloud issue through patched releases and configuration upload changes, and the Forecasting & Replenishment issue through authorization checks and command screening.
Gert-Jan Koster, SAP Security specialist at SecurityBridge, used the May Patch Day release to point to the broader triage challenge. SAP landscapes often span on-premise systems, cloud services, and hybrid architectures, where interconnected components and dependencies can complicate patch planning.
Pathlock’s analysis of the full May release added a coordination layer to that prioritization challenge. Jonathan Stross, senior product manager, cybersecurity R&I, at Pathlock, explained how May’s vulnerabilities cut across SAP applications, cloud services, analytics, and developer tooling.
Taken together, these perspectives show why note count and CVSS score can only start the response process. SAP teams still need to know where affected components run, who can access them, which teams own remediation, and how fixes will be validated.
Analysis
What This Means for ERP Insiders
Ownership gaps slow remediation. Patch planning should assign decision rights before Patch Day, so teams know who validates fixes, approves downtime, reviews access, and confirms business recovery.
Mini Shai-Hulud Shows Why Vendor Intelligence Matters
The most revealing part of May Patch Day may be what surfaced through vendor analysis rather than SAP’s main Patch Day table.
Alongside the 15 new notes on SAP’s Patch Day page, SecurityBridge highlighted SAP Note 3747787 on malicious open-source packages in SAP Cloud Application Programming Model and MTA Build Tool. Although the note carried a listed CVSS score of 0.0 in SAP materials, Koster described the Mini Shai-Hulud malware campaign as a CVSS 10.0 issue to emphasize its operational importance.
That was the same campaign Joris van de Vis, director of security research at SecurityBridge Research Labs, analyzed in detail. He said four SAP ecosystem npm packages were compromised on April 29. The affected versions were tied to SAP CAP database services and Cloud MTA Build Tool. The malware targeted developer and build credentials, including GitHub and npm tokens, cloud secrets, Kubernetes configuration, SSH keys, and CI/CD environment variables.
The risk was not limited to package installation. Layer Seven Security said response cannot stop at replacing affected packages because developer systems, build environments, repositories, credentials, and persistence files may remain in scope.
The developer-tooling details made that remediation harder. Mini Shai-Hulud could hide in project files used by VS Code and Claude Code, according to Layer Seven Security. If those files remained in place, a routine action could become risky: opening a compromised project might trigger malicious activity again.
Orca Security’s research widens the lens further. Roi Nisimi, principal security researcher at Orca Security, reported a related Mini Shai-Hulud wave affecting TanStack, Mistral AI, UiPath, 169 npm package names, and two PyPI packages. Orca also warned that malicious packages could be published from legitimate GitHub Actions runners using valid OIDC tokens, making npm provenance alone an incomplete safety signal.
SAP’s Patch Day guidance and vendor research serve different purposes. SAP’s table tells customers what has been formally released and prioritized. Partner analysis can show where exposure may persist when compromised packages may have reached development systems, credentials, or cloud environments.
May Patch Day shows why SAP security depends on combining official SAP guidance with vendor intelligence. The attack surface now includes the tools, credentials, pipelines, package registries, and external components used to build and extend SAP systems.
Analysis
What This Means for ERP Insiders
Vendor intelligence closes the response gap. SAP teams need partner research to identify post-patch exposure, especially when the risk sits in credentials, build systems, and developer workflows.
About Us
ERP Today covers how ERP, cloud, and AI change the way businesses run. Our editors speak with practitioners, vendors, and analysts to surface the technology, contracts, and risks that matter for enterprise leaders.
Alongside our newsroom coverage, we run in‑person summits where ERP leaders compare notes on programs like yours, and a research practice that turns reporting like this into organization‑specific briefings and content.
