Applexus Technologies Logo
Absoft, now part of Applexus
Learn more about Applexus
Click here to learn more about Applexus
Security Notes Icon

SAP Security Notes Review: January 2026

SAP Support
SAP Technical Services
SAP Managed Service
Blog Post
SAP Application Support
SAP Notes

Share This Post

Overview

SAP’s security patch day for December 2025 has seen the release of 18 OSS SAP security notes. Four notes have been classified as critical, Four as high, eight as medium and two  as low based on CVSS v3.0 Rating.

Security Notes by CVSS v3 Base Score

Jan 2026 cvss

Seven notes have been released for:

  • SAP ERP

Four notes have been released for:

  • SAP NetWeaver

Single notes have been released for:

• SAP Solution Manager

• SAP HANA Platform

• SAP NetWeaver AS Java

• SAP Identity Management

• SAP SRM

• SAP NetWeaver BW

• SAP Enterprise Portal

Security Notes by Product Category

Jan 2026 product category

Vulnerabilities: January 2026 Highlights

[CVE-2026-0497] Missing Authorization check in Business Server Pages Application  (SAP Note 3677111)

SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.

[CVE-2026-0506] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (SAP Note 3688703)

Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.

[CVE-2026-0503] Missing Authorization check in SAP ERP Central Component and SAP S/4HANA  (SAP Note 3681523 )

Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Cloud Services 1
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services

Read Our Latest Articles

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Contact Us
Colleagues at work at Absoft SAP Consultancy