SAP Security Patch Day May 2026 Shows Risk Beyond Core Applications

SAP’s May 2026 Security Patch Day was moderate in volume but broad in exposure.

SAP issued 15 new Security Notes on May 12, including two critical notes, one high-priority note, eleven medium notes, and one low note. The highest-severity vulnerabilities affected SAP S/4HANA Enterprise Search for ABAP and SAP Commerce Cloud, while a high-priority issue in SAP Forecasting & Replenishment added operational planning risk.

May’s risk profile reached core ERP search, internet-facing commerce, supply chain planning, and SAP-adjacent developer tooling. It also showed why SAP teams need both official Patch Day guidance and trusted vendor intelligence when supply-chain issues can reach development systems, credentials, and build environments.

Critical SAP Vulnerabilities Reach Business Operations

May’s two critical vulnerabilities affected different parts of the SAP estate.

The first was a SQL injection vulnerability in SAP S/4HANA Enterprise Search for ABAP, rated at CVSS 9.6. The CVE record says an authenticated attacker with low privileges could inject malicious SQL statements through user-controlled input. Enterprise Search sits close to the way users find and retrieve business information in SAP S/4HANA, so the risk can affect confidentiality and availability across business processes that depend on ERP data.

The second critical issue was a missing authentication check in SAP Commerce Cloud configuration, also rated at CVSS 9.6. The CVE record says improper Spring Security configuration could allow an unauthenticated user to upload malicious configuration content and inject code, resulting in arbitrary server-side code execution.

MindFore CEO Laxman Bolineni framed both issues in business terms. He tied the SAP S/4HANA issue to sensitive business data and placed the Commerce Cloud vulnerability closer to storefront operations, customer data, integrations, and availability. Each vulnerability requires a different response path: one tied to ERP data access, the other to customer-facing commerce operations.

SAP Patch Triage Needs Operational Context

The high-priority issue in SAP Forecasting & Replenishment shows why severity labels need more than a score. The vulnerability is an OS command injection issue rated at CVSS 8.2. The CVE record says an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Exploitation could let the attacker read or modify data or shut down the system.

The vulnerability’s risk profile differs from the two critical notes. It requires elevated privileges and is not remotely enabled, but the possible impact remains severe because Forecasting & Replenishment supports planning for inventory, replenishment, and supply chain continuity. The CVSS score is lower than the two critical notes, but the system’s role in planning operations makes remediation urgent.

That changes how teams should think about the fix the May release. Layer Seven Security’s analysis showed how each vulnerability pointed to a different control path. It said SAP addressed the SAP S/4HANA issue through input validation, Commerce Cloud through patched releases and configuration changes, and Forecasting & Replenishment through authorization checks and command screening.

Those control paths then have to be applied inside real SAP estates. Gert-Jan Koster, SAP Security specialist at SecurityBridge, used the May Patch Day release to point to the broader triage challenge. SAP landscapes often span on-premise systems, cloud services, and hybrid architectures, where interconnected components and dependencies can complicate patch planning.

The coordination burden extends across teams as well as systems. Pathlock’s analysis of the full May release added a coordination layer to that prioritization challenge. Jonathan Stross, senior product manager, cybersecurity R&I, at Pathlock, explained how May’s vulnerabilities cut across SAP applications, cloud services, analytics, and developer tooling.

Taken together, these perspectives show why note count and CVSS score can only start the response process. SAP teams still need to know where affected components run, who can access them, which teams own remediation, and how fixes will be validated.

Mini Shai-Hulud Shows Why Vendor Intelligence Matters

The most revealing part of May Patch Day may be what surfaced through vendor analysis rather than SAP’s main Patch Day table.

Alongside the 15 new notes on SAP’s Patch Day page, SecurityBridge highlighted SAP Note 3747787, which addressed malicious open-source packages in SAP Cloud Application Programming Model and MTA Build Tool, which has been connected to the malware campaign widely referred to as Mini Shai-Hulud. Although SecurityBridge said SAP assigned the note a CVSS score of 0.0, the firm listed it as 10.0 in its own summary to underline its operational importance.

Joris van de Vis, director of security research at SecurityBridge Research Labs, analyzed the campaign in detail. He said four SAP ecosystem npm packages were compromised on April 29. The affected versions were tied to SAP CAP database services and Cloud MTA Build Tool. The malware targeted developer and build credentials, including GitHub and npm tokens, cloud secrets, Kubernetes configuration, SSH keys, and CI/CD environment variables.

The risk was not limited to package installation. Layer Seven Security said response cannot stop at replacing affected packages because developer systems, build environments, repositories, credentials, and persistence files may remain in scope. It also warned that Mini Shai-Hulud could hide in project files used by VS Code and Claude Code. If those files remained in place, a routine action could become risky: opening a compromised project might trigger malicious activity again.

Orca Security’s research widens the lens further. Roi Nisimi, principal security researcher at Orca Security, reported a broader Mini Shai-Hulud wave affecting TanStack, Mistral AI, UiPath, 169 npm package names, and two PyPI packages. Orca also warned that malicious packages could be published from legitimate GitHub Actions runners using valid OIDC tokens, making npm provenance alone an incomplete safety signal

That broader pattern helps explain why the SAP-specific issue required more than a standard Patch Day review. SAP’s Patch Day guidance and vendor research serve different purposes. SAP’s table tells customers what has been formally released and prioritized. Partner analysis can show where exposure may persist when compromised packages may have reached development systems, credentials, or cloud environments.

May Patch Day shows why SAP security depends on combining official SAP guidance with vendor intelligence. The attack surface now includes the tools, credentials, pipelines, package registries, and external components used to build and extend SAP systems.

What This Means for SAPinsiders

Patch urgency  depends on operating impact. SAP teams should treat severity scores as the opening signal, then map each issue to process ownership, downtime tolerance, and recovery paths. The hardest patch decisions may involve systems that score lower but carry high operational dependency.

Developer environments need governance. Mini Shai-Hulud shows that development systems can create enterprise exposure before code reaches production. SAP teams should bring package controls, credential rotation, and build-pipeline monitoring into the same governance model used for production application security.

Vendor intelligence is gaining importance. Official SAP guidance defines the formal remediation baseline, but partner research can surface exposure that sits between patching, incident response, and operational validation. SAP teams should treat trusted vendor analysis as part of their security workflow.

ERP Today first published a version of this article on May 13, 2026.