Meet the Authors

Key Takeaways What you need to know
  1. SAP's June 9, 2026 Security Patch Day published 15 new security notes, several at near-maximum severity against core NetWeaver and ABAP platform components, with the headline note rated CVSS 9.9.

  2. The most severe item, Note 3746332 (CVE-2026-44748), is an XML Signature Wrapping flaw in SAML authentication that can let an attacker forge a valid authentication assertion and bypass login controls.

  3. With only 34% of organizations fully transitioned to S/4HANA or cloud, the majority run hybrid estates where classic NetWeaver and ABAP components still carry critical processes and must be patched on the same cadence as anything newer.

An authentication bypass and a kernel memory-corruption flaw in the same month, both in components nearly every SAP system runs, is the kind of pairing that should prompt a patch schedule to move forward rather than leave it for the next quiet maintenance window. That is what SAP shipped on June 9, 2026, when its June Security Patch Day published 15 new security notes, several carrying near-maximum severity scores against core NetWeaver and ABAP platform components. For SAP Basis and security teams, this is not a routine month: the headline note is rated at CVSS 9.9, and three more are rated at 9.0 or above.

The pattern is a reminder that the most dangerous SAP vulnerabilities rarely hide in exotic add-ons. They sit in the foundational layers: the application server, the kernel, the authentication path, and a flaw there is a flaw everywhere.

What the June 2026 Notes Actually Fix

The most severe item is SAP Security Note 3746332, CVE-2026-44748, an XML Signature Wrapping vulnerability in SAML authentication affecting SAP NetWeaver Application Server ABAP and the ABAP Platform, rated CVSS 9.9. A signature-wrapping flaw in SAML can let an attacker forge a valid-looking authentication assertion and bypass login controls. SAP’s note provides a fix, and for organizations that cannot patch immediately, the documented workaround is to disable SAML authentication until the correction is applied.

Explore related questions

Close behind is SAP Security Note 3717897, CVE-2026-27671, a memory corruption vulnerability in the Application Server ABAP RFC kernel, rated CVSS 9.8. Because it sits in the kernel, the remediation is a kernel patch, and there is no configuration workaround, which makes scheduling the kernel update the only real mitigation.

Two further critical notes round out the high end. SAP Security Note 3748262, CVE-2026-22732, addresses a Spring Security vulnerability in SAP Commerce Cloud and Data Hub at CVSS 9.1, and SAP Security Note 3727078, CVE-2026-40128, covers a directory traversal flaw in the NetWeaver AS Java Web Container at CVSS 9.0. A high-severity entry, SAP Security Note 3735546, CVE-2026-44751, fixes a missing authorization check in ABAP, rated CVSS 7.1. The full set is published on SAP’s security notes overview.

SAP Security and Basis Leads Must Act Now

The exposure is broad because the affected components are ubiquitous. NetWeaver AS ABAP and the ABAP Platform underpin the bulk of productive SAP landscapes, so the SAML and RFC kernel flaws touch systems most organizations run in production today. A vulnerability in the login path and one in the kernel are each serious on their own; together they remove two of the assumptions teams rely on most, that users are who they claim to be and that the runtime itself is sound.

The strategic backdrop raises the stakes. As organizations modernize toward SAP S/4HANA and cloud, the foundational ABAP and NetWeaver layers remain in play across hybrid landscapes for years. SAPinsider’s ERP Migration and Transformation 2026 report found that 55% of organizations have deployed SAP S/4HANA or SAP cloud, but only 34% have fully transitioned, meaning the majority are running mixed estates where these classic components still carry critical business processes and must be patched on the same cadence as newer components.

The complexity of those estates makes patch coordination harder. SAPinsider’s Enterprise Integration for SAP 2025 report noted organizations average 36 applications across more than four integration tools, so a single unpatched RFC or authentication endpoint can be reachable through paths no one is actively monitoring.

This is also where the perimeter and the application layer have to work together. Network and endpoint security from vendors such as Fortinet limits who can reach an exposed RFC or web container endpoint in the first place, but it cannot remediate a flaw within NetWeaver or the ABAP kernel. Only SAP’s notes do that. The defensible posture treats the two as complementary: network controls narrow the attack surface and buy time, while the SAP notes close the underlying vulnerability.

What This Means for SAPinsiders

Triage the 9.9 SAML note first, and use the workaround only as a bridge. For SAP security and Basis leads, the XML Signature Wrapping flaw in SAML authentication (Note 3746332) is the one to address immediately, because an authentication bypass undermines all other controls. Apply the SAP-provided fix on priority systems now. Where patching must wait, disabling SAML per SAP’s documented workaround is a stopgap, not a resolution, and the patch should still be scheduled within the same cycle.

Schedule the kernel patch deliberately, because there is no shortcut. For Basis administrators, the RFC kernel memory-corruption flaw (Note 3717897) has no configuration workaround, which means the kernel update itself is the mitigation. Plan for the downtime, test the kernel-level changes in a non-production system, and roll it forward rather than hoping the exposure goes unnoticed. Kernel patches are disruptive, but a 9.8 in the RFC layer is not something to carry into next quarter.

Patch your classic components on the same clock as your new ones. For CIOs and security owners overseeing hybrid estates, the lesson of this patch day is that the 66% still mid-transition cannot treat NetWeaver and ABAP as legacy afterthoughts. Bring classic SAP components into the same vulnerability-management cadence as SAP S/4HANA and cloud workloads, and confirm that asset inventories actually cover every reachable RFC, SAML, and web-container endpoint before an attacker does the inventory for you. Review network-layer controls in parallel: confirm that perimeter and segmentation platforms, such as those from Fortinet, restrict access to the affected endpoints while patches roll out. Those controls buy time, but only SAP’s notes remove the flaw, so treat the two as complementary rather than interchangeable.

Events

29Oct
SAPinsider Summit New Orleans 2026New Orleans, Louisiana, United States
View All