SAP’s February 2026 Security Patch Day delivered fixes that SAP urges customers to prioritize to reduce exposure across core enterprise workloads. The release includes 26 new SAP Security Notes and one update to a previously published note.
SAP’s monthly bulletin is a remediation guide for vulnerabilities identified in SAP products, with an explicit recommendation to review the Support Portal and apply patches promptly to protect the SAP landscape.
The highest-risk issue identified is CVE-2026-0488, a code-injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) that allows authenticated, low-privilege users to inject and execute arbitrary code with cross-scope impact, and is associated with SAP Note 3697099 (CVSS 9.9).
From an attack-chain perspective, this class of flaw is especially dangerous in SAP landscapes because it can convert “business user” access into application-layer execution, enabling lateral movement into tightly coupled modules and integrations.
A second critical item, CVE-2026-0509, is a missing authorization check in SAP NetWeaver Application Server ABAP / ABAP Platform that can enable low-privilege authenticated users to bypass authorization controls (SAP Note 3674774; CVSS 9.6).
Among the high-severity set, CVE-2026-23687 (XML Signature Wrapping) in SAP NetWeaver AS ABAP / ABAP Platform is highlighted as a risk for signature-manipulation scenarios that can undermine trust decisions in XML-based flows.
Availability also features prominently: CVE-2026-23689 affects SAP Supply Chain Management and is described as uncontrolled resource consumption, where an authenticated user can repeatedly invoke a remote-enabled function module using an excessively large loop-control parameter, exhausting system resources until the service becomes unavailable.
| CVE ID | Note # | Severity | CVSS | Product | Title |
|---|---|---|---|---|---|
| CVE-2026-0488 | 3697099 | Critical | 9.9 | SAP CRM & S/4HANA (Scripting Editor) | Code Injection vulnerability |
| CVE-2026-0509 | 3674774 | Critical | 9.6 | SAP NetWeaver AS ABAP & ABAP Platform | Missing Authorization check |
| CVE-2026-23687 | 3697567 | High | 8.8 | SAP NetWeaver AS ABAP & ABAP Platform | XML Signature Wrapping |
| CVE-2026-23689 | 3703092 | High | 7.7 | SAP Supply Chain Management | Denial of Service (DOS) |
| CVE-2026-24322 | 3705882 | High | 7.7 | SAP Solution Tools Plug-In (ST-PI) | Missing Authorization check |
| CVE-2026-0490 | 3654236 | High | 7.5 | SAP BusinessObjects BI Platform | Denial of Service (DOS) |
| CVE-2026-0485 | 3678282 | High | 7.5 | SAP BusinessObjects BI Platform | Denial of Service (DOS) |
| CVE-2025-12383 | 3692405 | High | 7.4 | SAP Commerce Cloud | Race Condition |
| CVE-2026-0508 | 3674246 | High | 7.3 | SAP BusinessObjects BI Platform | Open Redirect vulnerability |
| CVE-2026-0484 | 3672622 | Medium | 6.5 | SAP NetWeaver AS ABAP & S/4HANA | Missing Authorization check |
| CVE-2026-24324 | 3695912 | Medium | 6.5 | SAP BusinessObjects BI Platform (AdminTools) | Denial of Service (DOS) |
| CVE-2026-0505, CVE-2026-24323 | 3678417 | Medium | 6.1 | SAP Document Management System | Multiple vulnerabilities in BSP Applications |
| CVE-2026-24328 | 3688319 | Medium | 6.1 | BSP Application (TAF_APPLAUNCHER) | Open Redirection vulnerability |
| CVE-2025-0059 | 3503138 | Medium | 6.0 | SAP NetWeaver AS ABAP (SAP GUI for HTML) | Information Disclosure (Update to Jan 2025 Note) |
| CVE-2026-23684 | 3689543 | Medium | 5.9 | SAP Commerce Cloud | Race condition vulnerability |
| CVE-2026-24319 | 3679346 | Medium | 5.8 | SAP Business One (B1 Client Memory Dump) | Information Disclosure Vulnerability |
| CVE-2026-24321 | 3687771 | Medium | 5.3 | SAP Commerce Cloud | Information Disclosure vulnerability |
| CVE-2026-24312 | 3710111 | Medium | 5.2 | SAP Business Workflow | Missing authorization check |
| CVE-2026-0486 | 3691645 | Medium | 5.0 | ABAP based SAP systems | Missing Authorization Check |
| CVE-2026-24325 | 3697256 | Medium | 4.8 | SAP BusinessObjects Enterprise (CMC) | Cross-Site Scripting (XSS) |
| CVE-2026-23685 | 3687285 | Medium | 4.4 | SAP NetWeaver (JMS service) | Insecure Deserialization |
| CVE-2026-23688 | 3215823 | Medium | 4.3 | SAP Fiori App (Manage Service Entry Sheets) | Missing Authorization check |
| CVE-2026-23681 | 3680416 | Medium | 4.3 | SAP Support Tools Plug-In | Missing Authorization check in function module |
| CVE-2026-24326 | 3678009 | Medium | 4.3 | SAP S/4HANA Defense & Security | Missing authorization check |
| CVE-2026-24327 | 3680390 | Medium | 4.3 | SAP Strategic Ent. Mgmt (Balanced Scorecard) | Missing Authorization Check |
| CVE-2026-23686 | 3673213 | Low | 3.4 | SAP NetWeaver AS Java | CRLF Injection vulnerability |
| CVE-2026-24320 | 3678313 | Low | 3.1 | SAP NetWeaver & ABAP Platform (AS ABAP) | Memory Corruption vulnerability |
The same Patch Day coverage also flags multiple denial-of-service and redirect/XSS-style issues in SAP BusinessObjects BI Platform and related components, reinforcing that externally reachable or user-facing endpoints deserve extra scrutiny during triage.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
