SAP Security Notes Review: June 2026

[CVE-2026-44754] Missing caller identification check-in for ODP Data Replication APIs (SAP Note 3748819)

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.

[CVE-2026-27671] Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform (SAP Note 3717897)

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

[CVE-2026-44751] Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform (SAP Note 3735546)

Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.

[CVE-2026-44748] XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform (SAP Note 3746332)

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.

[CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad) (SAP Note 3682699)

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.

[CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management (SAP Note 3718508)

Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.