Overview
SAP’s security patch day for February 2026 has seen the release of 29 OSS SAP security notes. Two notes have been classified as critical, Seven as high, eighteen as medium and two  as low based on CVSS v3.0 Rating.
Security Notes by CVSS v3 Base Score
Six notes have been released for:
- SAP NetWeaver Application Server ABAP
Four notes have been released for:
- SAP Solution Manager 7.2
- SAP Business Intelligence Platform
Two notes have been released for:
- SAP Fiori Front-End Server
- SAP NetWeaver Application Server Java
- SAP Commerce Cloud (Hybris)
Single notes have been released for:
- SAP S/4HANA Finance
- SAP CRM
- SAPBusiness Intelligence Platform
- SAP Sales Cloud (C4C)
- SAP SEM
- SAP Business One
- SAP SCM APO
- SAP for Banking (Industry Solution)
- SAP S/4HANA Materials Management
Security Notes by Product Category
Vulnerabilities: February 2026 Highlights
[CVE-2026-0484] Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA (SAP Note 3672622)
Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability.
[CVE-2026-23687] XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3697567)
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.
[CVE-2026-24328] Open Redirection vulnerability in Business Server Pages Application (SAP Note 3688319)
SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker-controlled sites, potentially exposing or altering sensitive information in the victim’s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
[CVE-2026-0488] Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)(SAP Note 3697099)
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
[CVE-2026-24322] Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) (SAP Note 3705882Â )
SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
