SAP has released its July 2026 Security Patch Day updates, addressing a critical memory corruption vulnerability in the SAP NetWeaver Application Server ABAP.
The most severe issue, tracked as CVE-2026-44747, has a CVSS score of 9.9 and affects multiple SAP kernel versions used in enterprise environments.
On July 14, SAP published 16 new security notes and one GitHub security advisory, along with three updates to previously released notes. Administrators are urged to review the affected systems and apply the fixes as a priority through the SAP Support Portal.
The critical NetWeaver ABAP flaw is outlined in SAP Security Note 3747367. CVE-2026-44747 is described as a memory corruption vulnerability that can occur when an application improperly handles memory operations.
This could potentially allow an attacker to change program execution, access sensitive information, crash services, or execute malicious code under certain conditions.
The vulnerability impacts several SAP kernel and NetWeaver versions, including KRNL64NUC and KRNL64UC 7.22 and 7.22EXT, as well as kernel versions 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, and 9.20.
Organizations should verify the specific software components and patch levels in their SAP landscape before applying the correction.
The assigned CVSS vector indicates that exploitation is network-based, requires low attack complexity, and demands low privileges, with no user interaction needed.
SAP Security Update July 2026
Successful exploitation could significantly impact confidentiality, integrity, and availability. Additionally, the attack scope has changed, meaning a compromised component may affect resources beyond its original security boundary.
SAP’s July Patch Day also addresses two other critical vulnerabilities. CVE-2026-27690 is an HTTP request smuggling flaw in SAP Approuter versions earlier than 20.10.0, rated 9.1.
Attackers may exploit request smuggling to bypass front-end security controls or interfere with how back-end systems process HTTP requests.
Another critical issue, CVE-2026-44761, affects SAP Commerce Cloud releases HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21.
This flaw stems from insecure sample credentials and has a CVSS score of 9.1. Default, exposed, or inadequately protected credentials can enable unauthorized access to affected environments.
SAP also updated its June security note for CVE-2026-40128, a directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container.
This vulnerability carries a CVSS score of 9.0. It may allow attackers to access or modify files outside of an intended directory path.
Security teams should prioritize SAP Note 3747367, validate kernel compatibility, test patches in non-production environments, and schedule accelerated deployment for internet-facing or business-critical NetWeaver instances.
| SAP Note | CVE | Vulnerability | Affected Product | Priority | CVSS |
|---|---|---|---|---|---|
| 3747367 | CVE-2026-44747 | Memory Corruption | SAP NetWeaver Application Server ABAP | Critical | 9.9 |
| 3720138 | CVE-2026-27690 | HTTP Request Smuggling | SAP Approuter | Critical | 9.1 |
| 3753495 | CVE-2026-44761 | Insecure Sample Credentials | SAP Commerce Cloud | Critical | 9.1 |
| 3727078 | CVE-2026-40128 | Directory Traversal | SAP NetWeaver AS Java Web Container | Critical | 9.0 |
| 3758101 | CVE-2026-40860, CVE-2026-40453, CVE-2026-33454 | Multiple Apache Camel vulnerabilities | SAP Integration Suite Edge Integration Cell | High | 8.8 |
| 3692165 | CVE-2026-0487 | DLL Hijacking | SAProuter for Microsoft Windows | High | 8.4 |
| 3748227 | CVE-2026-44752 | Cross-Site Scripting | SAP NetWeaver AS Java Configuration Wizard | High | 8.2 |
| 3741519 | CVE-2026-44745 | Open Redirect | SAP Approuter | High | 8.1 |
| 3763800 | CVE-2026-43512, CVE-2026-41293, CVE-2026-43515 | Multiple Apache Tomcat vulnerabilities | SAP Commerce Cloud | High | 8.1 |
| 3773304 | CVE-2026-58233 | Remote Code Execution | SAP Change and Transport System Attach Tool (ctsattach) | High | 7.6 |
| 3746678 | CVE-2026-44759 | Cross-Site Scripting | SAP NetWeaver Enterprise Portal | Medium | 6.1 |
| GHSA-p8gx-753q-v89p | CVE-2026-44767 | Allowlist Bypass / Cross-Origin CSS Injection | UI5 Web Components Base | Medium | 6.1 |
| 3537373 | CVE-2026-44769 | SQL Injection | SAP S/4HANA Project Management (PPM-PRO) | Medium | 5.5 |
| 3754659 | CVE-2026-44760 | Cross-Site Scripting | SAP NetWeaver AS ABAP Business Server Pages | Medium | 4.7 |
| 3515598 | CVE-2026-44771 | Missing Authorization Check | SAP S/4HANA Draft Operation | Medium | 4.3 |
| 3713902 | CVE-2026-44770 | Missing Authorization Check | SAP S/4HANA Create Single Payment | Medium | 4.3 |
| 3682699 | CVE-2026-24315 | Path Traversal | SAP Fiori Launchpad | Medium | 4.2 |
| 3155685 | CVE-2026-44768 | Security Misconfiguration | SAP CRM WebClient UI | Medium | 4.1 |
| 3732522 | CVE-2026-44753 | Information Disclosure | SAP HANA Extended Application Services, classic model | Low | 3.7 |
| 3726899 | CVE-2025-68161 | Potential Apache Log4j library vulnerability | SAP NetWeaver AS Java | Low | 3.3 |
They should also restrict unnecessary network access to SAP application servers, review privileged accounts, monitor system logs for abnormal activity, and ensure backups are available before maintenance.
SAP Security Patch Days provide the vendor’s regular channel for publishing corrective Security Notes, and SAP recommends that customers review and implement relevant notes to protect their SAP landscapes.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

