SAP Security Patch Day: Critical Updates and Vulnerability Analysis Each Month

Updated May 13, 2026.

SAP Security Patch Day is a fixed point in the monthly operating cycle for SAP customers. On the second Tuesday of each month, SAP publishes Security Notes addressing vulnerabilities across core, supporting, and legacy systems.

The schedule is predictable, but the risk is not. Severity ratings alone do not define impact because real exposure is shaped by configuration, authorization design, component reachability, response speed, and the quality of vulnerability intelligence available to SAP teams, an issue that has become more important as the NIST limits CVE enrichment.

Zero-day vulnerabilities and the gap between disclosure and remediation mean patching alone does not eliminate exposure.

This article provides an updated analysis of SAP Security Patch Day every month. It focuses on the updates most likely to materially affect enterprise risk, explaining why those issues matter operationally. The analysis draws on insights from SAPinsider security researchers, SAP security specialists, and trusted SAP security partners.

SAP Security Patch Day — May 2026

SAP’s May 2026 Patch Day delivered 15 new Security Notes. SAP listed two vulnerabilities as critical, one as high, eleven as medium, and one as low. The notes affected search, commerce, forecasting and replenishment, analytics, user interface, application server, and HANA deployment.

Critical Issues to Prioritize

• SAP S/4HANA Enterprise Search for ABAP — SQL Injection (CVSS 9.6): A SQL injection vulnerability allows a low-privileged authenticated attacker to inject malicious SQL statements through user-controlled input. Exploitation could expose sensitive database information and potentially crash the application.
• SAP Commerce Cloud — Missing Authentication Check / Code Injection (CVSS 9.6): An improper Spring Security configuration allows an unauthenticated user to upload malicious configuration and inject code. Exploitation could result in arbitrary server-side code execution with high impact to confidentiality, integrity, and availability.

High-Priority Issues With Broad Reach

• SAP Forecasting & Replenishment — OS Command Execution (CVSS 8.2): An authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify system data or shut down the system, creating serious operational risk despite the elevated access required.

Several medium-priority notes affected widely deployed SAP components and shared technical layers. Issues involving Business Server Pages, SAPUI5, BusinessObjects, SAP NetWeaver AS ABAP, SAP HANA deployment tooling, and SAP Incentive and Commission Management show how lower-severity vulnerabilities can still matter when they sit inside common user interface, reporting, application server, development, or authorization paths.

What Security Practitioners Are Flagging

SecurityBridge highlighted the May release as a patch-management challenge across on-premise, cloud, and hybrid SAP environments. In addition to the 15 new notes on SAP’s Patch Day page, it listed SAP Note 3747787 on malicious open-source packages in SAP Cloud Application Programming Model and MTA Build Tool, known as the Mini Shai-Hulud malware campaign, as CVSS 10.0 to underline its importance.

Layer Seven Security focused most sharply on SAP Security Note 3747787 and the Mini Shai-Hulud npm package campaign. Its analysis described malicious SAP-related npm packages that could execute during installation, target developer, GitHub, npm, cloud, CI/CD, and service account credentials, propagate through stolen tokens, and persist through IDE and AI coding tool configuration files.

Pathlock’s analysis emphasized the operational spread of the May notes across S/4HANA search, Commerce Cloud configuration paths, forecasting and replenishment, BusinessObjects, SAPUI5, HANA deployment tooling, and developer CI/CD pipelines. Its framing pointed to SAP patching as a coordination issue across Basis, security, DevOps, Commerce Cloud, application owners, and identity teams.

MindFore connected the three Critical and High-priority notes to business-process risk across S/4HANA, Commerce Cloud, and Forecasting & Replenishment. Its comments emphasized potential exposure to sensitive business data, storefront operations, customer data, integrations, forecasting, inventory planning, and supply chain continuity.

SAP Security Patch Day — April 2026

SAP’s April 2026 Patch Day delivered 19 new Security Notes with one update. SAP listed one as critical and several as high-priority, with the remainder medium or low, affecting components across financial planning, data warehousing, ERP, and SAP S/4HANA applications.

Critical Issues to Prioritize

• SAP Business Planning and Consolidation and SAP Business Warehouse — SQL Injection (CVSS 9.9): A SQL injection vulnerability tied to authorization checks in an ABAP upload path allows low-privileged authenticated users to execute arbitrary SQL. The flaw enables direct access to planning and warehouse data, including the ability to read, modify, or delete records.

High-Priority Issues With Broad Reach

• SAP ERP and SAP S/4HANA — Missing Authorization Check (CVSS 7.1): A missing authorization check allows a low-privileged authenticated user to execute an ABAP program that can overwrite existing executable reports. If those reports are subsequently run, the intended functionality becomes unavailable, creating targeted disruption across ERP and S/4HANA business processes.

Several medium-priority notes affect widely deployed SAP components. Missing or insufficient authorization checks in SAP S/4HANA services, including OData and backend functions, illustrate how access control gaps and exposed interfaces can expand exposure across application and integration layers.

What Security Practitioners Are Flagging

SecurityBridge highlights the critical SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse as the primary risk driver, pointing to how upload-related functionality can enable unauthorized SQL execution when authorization checks are insufficient.

Pathlock’s analysis emphasizes a broader pattern of access control weaknesses, noting that multiple vulnerabilities—including those in SAP ERP and SAP S/4HANA—allow low-privileged users to affect application behavior through missing authorization checks.

Layer Seven Security similarly underscores how these issues span both database and application layers, reinforcing that authenticated access and role design remain central to exposure across SAP environments.

SAP Security Patch Day — March 2026

SAP’s March 2026 Patch Day delivered 15 new Security Notes with no updates to previous releases. SAP listed two as critical, one high-priority, and the remainder medium or low, affecting components across NetWeaver platform services and supply chain systems.

Critical Issues to Prioritize

• SAP Quotation Management Insurance (FS-QUO) — Code Injection (CVSS 9.8): A command injection vulnerability tied to an outdated Log4j dependency enables remote execution through the FS-QUO scheduler. Prioritize remediation wherever quotation scheduling services are reachable.
• SAP NetWeaver Enterprise Portal Administration — Insecure Deserialization (CVSS 9.1): An insecure deserialization flaw in Enterprise Portal Administration can allow remote code execution when malicious serialized content is processed. Address exposure where Enterprise Portal administration remains in use.

High-Priority Issues With Broad Reach

• SAP Supply Chain Management — Denial of Service (CVSS 7.7): A denial-of-service vulnerability in SAP Supply Chain Management allows excessive resource consumption through a vulnerable RFC-enabled function module. In SCM or APO planning environments, outages can cascade into logistics and manufacturing disruption.

Several medium-priority notes affect widely deployed platform layers. Server-side request forgery and missing authorization checks in SAP NetWeaver AS ABAP illustrate how configuration and exposed interfaces can expand exposure.

What Security Practitioners Are Flagging

SecurityBridge contributed research behind SAP Note 3707930, a missing authorization check in the SAP Solution Tools Plug-In (ST-PI), showing how administrative tooling can introduce exposure when authorization boundaries are weak.

Pathlock’s analysis emphasizes the operational patterns behind this month’s notes, particularly risks tied to third-party dependencies, administrative interfaces, and RFC-enabled functions. Layer Seven Security similarly highlights the Log4j dependency in FS-QUO and the Enterprise Portal deserialization flaw as examples of how vulnerabilities inside trusted services can create meaningful exposure.

SAP Security Patch Day — February 2026

SAP’s February 2026 Patch Day delivered 26 new Security Notes and one update. SAP listed two as critical, seven high-priority, 16 medium, and two low—an above normal workload with exposure concentrated in ABAP and core platform layers.

Critical Issues to Prioritize

• SAP CRM and SAP S/4HANA — Code Injection (Scripting Editor) (CVSS 9.9): A critical code injection weakness in the Scripting Editor can enable unauthorized execution of sensitive actions, including database-impacting activity in affected stacks. Prioritize wherever scripting is enabled in tightly connected landscapes.
• SAP NetWeaver AS ABAP and ABAP Platform — Missing Authorization Check (CVSS 9.6): A missing authorization check can allow background RFC activity under conditions that bypass expected controls. Remediation may extend beyond a simple transport, since SAP’s guidance includes kernel and parameter actions that can touch production behavior.

High-Priority Issues With Broad Reach

• SAP NetWeaver AS ABAP and ABAP Platform — XML Signature Wrapping (CVSS 8.8): Identity and message integrity issues deserve fast triage in landscapes that rely on signed XML workflows.

Other high-severity notes touch infrastructure shared across many SAP landscapes. Denial-of-service vulnerabilities in SAP BusinessObjects BI Platform (CVE-2026-0490 and CVE-2026-0485, both CVSS 7.5) can interrupt reporting that supports operational and regulatory activity.

What Security Practitioners Are Flagging

Several of February’s fixes trace back to work by independent researchers. Onapsis research contributed to vulnerabilities affecting the Scripting Editor and ABAP authorization behavior, showing how external research feeds directly into SAP’s remediation cycle.

Pathlock stresses that regular engagement with SAP Security Notes is central to a resilient cybersecurity posture. SecurityBridge reinforces that effective remediation depends on how patches map to real configurations, since applicability and exposure vary across landscapes.

SAP Security Patch Day — January 2026

SAP’s January 2026 Patch Day delivered 17 Security Notes, including four critical and four high-severity issues. The most consequential risks span SAP S/4HANA, monitoring, and landscape transformation systems. The remaining notes were rated medium or low.

Critical Issues to Prioritize

• SAP S/4HANA Financials — SQL Injection (CVSS 9.9): A critical SQL injection flaw can allow database manipulation under permissive RFC authorizations, directly threatening financial data integrity and reporting accuracy.
• SAP Wily Introscope Enterprise Manager — Remote Code Execution (CVSS 9.6): A remote code execution vulnerability allows arbitrary command execution on a trusted monitoring system that often runs with elevated privileges.
• SAP S/4HANA — Code Injection (CVSS 9.1): This code injection issue enables unauthorized modification of program logic and potential OS-level command execution, accelerating attacker control after initial compromise.
• SAP Landscape Transformation — Code Injection (CVSS 9.1): A code injection vulnerability allows execution logic to be altered without proper authorization checks, increasing risk in highly connected transformation environments.

What Security Practitioners Are Flagging

January’s Patch Day shows SAP security risk concentrating inside trusted systems rather than at the perimeter. Onapsis and Layer Seven Security highlight that the most severe issues rely on common enterprise conditions such as broad RFC authorizations, long-lived technical users, and embedded legacy components rather than novel exploits.

From an operational perspective, SecurityBridge notes that remediation frequently requires authorization and configuration changes alongside patching. Pathlock frames these vulnerabilities as realistic intrusion paths, where credential compromise can quickly escalate through RFC-enabled functions and trusted administrative tools.

What This Means for SAPinsiders

• Patch Day requires operational discipline. Effective Patch Day response depends on repeatable processes and clear execution. Defined ownership, severity-based triage, authorization review, and post-patch validation reduce risk without disrupting business-critical SAP operations.
• SAP security risk is structurally complex. Modern SAP environments combine core ERP, integrations, extensions, and long-lived components that expand exposure beyond individual vulnerabilities. Ongoing monitoring and informed external insight help teams understand where risk accumulates and which changes warrant attention.
• External insight reinforces internal judgment. Independent SAP security vendors provide research and early analysis that can surface exposure ahead of Patch Day. Monitoring credible vendor insight helps organizations prioritize response while retaining ownership of risk decisions.