SAP has released the July 2026 security update bundle, which fixes three critical vulnerabilities: memory corruption in SAP NetWeaver Application Server ABAP (CVSS 9.9), HTTP request smuggling in SAP Approuter (CVSS 9.1), and the use of default credentials in SAP Commerce Cloud (CVSS 9.1). All three vulnerabilities allow unauthorized access to data or disruption of system operations. No signs of active exploitation have been observed so far, but the severity ratings require that these updates be treated as a priority.
Technical details of the vulnerabilities
CVE-2026-44747 — memory corruption in NetWeaver ABAP (CVSS 9.9)
The most serious of the three, CVE-2026-44747, is an out-of-bounds write vulnerability in SAP NetWeaver Application Server ABAP. An authenticated attacker can exploit logical errors in memory management, leading to memory corruption. The consequences include unauthorized access to data, data modification, or complete unavailability of the system.
The CVSS score of 9.9 — almost the maximum — is explained by the fact that only basic authentication is required for exploitation, while the impact affects all three key security properties: confidentiality, integrity, and availability.
According to researchers at Onapsis, as a temporary workaround it is suggested to disable all ICF nodes with a certain property in transaction SICF. However, this workaround prevents transactions from being opened in SAP GUI for HTML, which makes it unacceptable for many organizations. Installing the updated version of the ABAP Kernel is recommended.
CVE-2026-27690 — HTTP request smuggling in SAP Approuter (CVSS 9.1)
The vulnerability CVE-2026-27690 affects SAP Approuter deployments in environments that do not use Cloud Foundry. An unauthenticated attacker can send a specially crafted HTTP request that triggers request-response desynchronization. This makes it possible to intercept responses intended for other users, as well as to carry out denial-of-service attacks.
What makes this especially dangerous is the lack of an authentication requirement: the attack can be launched from outside without any credentials. Organizations using SAP Approuter outside Cloud Foundry should treat this vulnerability as a priority.
CVE-2026-44761 — default credentials in SAP Commerce Cloud (CVSS 9.1)
The vulnerability CVE-2026-44761 is due to the fact that SAP Commerce Cloud may retain a sample OAuth 2.0 client with publicly documented credentials taken from configuration examples on the SAP Help Portal. If these credentials have not been changed, an unauthenticated attacker can obtain a valid access token and, via the API, read and modify system data.
According to the description in the NVD, successful exploitation has a high impact on confidentiality and integrity, but does not affect availability.
According to Onapsis, the vulnerability arose because of configuration scripts that were previously provided on the SAP Help Portal. These scripts, intended for development and testing, configured OAuth 2.0 clients with hard-coded, widely known credentials. Reportedly, older versions of the documentation did not include an explicit warning that these settings must not be imported into a production environment.
Impact assessment
All three vulnerabilities affect key components of the SAP ecosystem that are widely used in large and mid-sized enterprises worldwide. NetWeaver ABAP is the foundation of most SAP installations, Approuter provides routing in cloud and hybrid scenarios, and Commerce Cloud powers e-commerce platforms.
The organizations at highest risk are those that:
- Use SAP NetWeaver ABAP with access through SAP GUI for HTML
- Have deployed SAP Approuter outside the Cloud Foundry environment
- Have run configuration scripts from the SAP Help Portal documentation in a Commerce Cloud production environment without replacing the credentials
Mitigation recommendations
- CVE-2026-44747: install the updated version of the ABAP Kernel. The workaround of disabling ICF nodes in transaction SICF is acceptable only as a temporary measure and is not suitable for organizations that depend on SAP GUI for HTML.
- CVE-2026-27690: apply the patch from SAP’s July security update bundle. Organizations with Approuter deployments outside Cloud Foundry should review routing configuration and limit external access until the update is installed.
- CVE-2026-44761: perform an audit of the Commerce Cloud production environment for the presence of the sample OAuth 2.0 client with default credentials. If such a client is found, delete it or replace the secret with a unique, strong value. Organizations that have already removed the sample client or replaced the secret are not affected by this vulnerability.
None of the three vulnerabilities had been added to the CISA Known Exploited Vulnerabilities catalog or had confirmed cases of exploitation at the time of publication. Nevertheless, the CVSS scores of 9.1–9.9 clearly indicate the need for prioritized patching: install the patches from the July SAP security bundle during the next maintenance window, and for Commerce Cloud immediately check for the presence of the sample OAuth client in the production environment, since this verification does not require downtime and can be performed right away.