Overview
SAP’s security patch day for April 2026 has seen the release of 22 OSS SAP security notes. One note has been classified as critical, two as high, 17 as medium and two as low based on CVSS v3.0 Rating.
Security Notes by CVSS v3 Base Score
Four notes have been released for:
- SAP NetWeaver
- SAP ERP Plant Maintenance
- SAP BusinessObjects
Two notes have been released for:
- SAP ERP Finance
Single notes have been released for:
- SAP ERP Joint Venture Accounting (JVA)
- SAP Utilities Industry Solution (IS-U)
- SAP HANA
- SAP Supply Chain Management (SCM)
- SAP Supplier Relationship Management (SRM)
- SAP S/4HANA Finance
- SAP ERP Logistics
- SAP Business Planning and Consolidation (BPC)
Security Notes by Product Category
Vulnerabilities: April 2026 Highlights
[CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP (SAP Note 3692004)
Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.
[CVE-2026-34264] Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA (SAP Note 3680767)
During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
[CVE-2026-34256] Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) (SAP Note 3731908)
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight‑character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.
[CVE-2026-34261] Missing Authorization check in SAP Business Analytics and SAP Content Management (SAP Support 3705094)
Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.
[CVE-2026-24316] Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP (SAP Support 3689080)
SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
