SAP June 2026 Patch Day Fixes Four Critical Flaws in NetWeaver and Commerce Cloud — Including CVSS 9.9 SAML Authentication Bypass
SAP's June 2026 Security Patch Day addresses 15 vulnerabilities, four of them critical — led by a CVSS 9.9 XML Signature Wrapping flaw enabling SAML authentication bypass in NetWeaver and an unauthenticated CVSS 9.8 memory corruption bug exploitable via crafted RFC requests.
SAP has released its June 2026 Security Patch Day updates, fixing 15 vulnerabilities across its product portfolio. Four are rated critical, concentrated in NetWeaver — the application platform and middleware stack underpinning SAP ERP deployments — and Commerce Cloud, the company's enterprise e-commerce platform formerly known as Hybris.
The Four Critical Flaws
The most severe is CVE-2026-44748 (CVSS 9.9), an XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and the ABAP Platform. An authenticated attacker with ordinary privileges can obtain a validly signed message and submit modified signed XML documents that the verifier accepts — tampered identity assertions passing as genuine. In SAML-based environments, that translates to authentication bypass: unauthorized access to sensitive user data and potential disruption of normal system operation, with low-privilege access as the only prerequisite.
Close behind is CVE-2026-27671 (CVSS 9.8), a memory corruption flaw in the NetWeaver/ABAP Platform Application Server. This one requires no authentication at all — an attacker can trigger it by sending crafted RFC requests to vulnerable endpoints, exploiting improper kernel-level validation. Unauthenticated, network-reachable memory corruption on the application server hosting an organization's ERP core is about as serious as SAP advisories get.
The remaining two criticals are CVE-2026-22732 (CVSS 9.1), a Spring Security-related vulnerability affecting both SAP Commerce Cloud and SAP Data Hub, and CVE-2026-40128 (CVSS 9.0), a directory traversal flaw in the NetWeaver Application Server Java Web Container.
The Rest of the Patch Day
Two high-severity issues were also addressed: CVE-2026-29145, covering multiple Apache Tomcat flaws inherited by Commerce Cloud, and CVE-2026-44751, a missing authorization check in NetWeaver AS ABAP. The remaining fixes span SQL injection, path traversal, cross-site scripting, email spoofing, and authorization bypass issues across multiple SAP products. Full technical details and workarounds are gated behind SAP's customer security portal, as usual.
Why It Matters
SAP systems sit at the center of finance, logistics, and HR operations for a large share of the world's biggest enterprises, and historically, critical NetWeaver flaws have been weaponized within days of Patch Day once details circulate. The two headline bugs here form a particularly dangerous pair: CVE-2026-27671 offers unauthenticated code-execution-class impact on the application server, while CVE-2026-44748 quietly breaks the trust model of SAML single sign-on. Organizations running NetWeaver AS ABAP, AS Java, Commerce Cloud, or Data Hub should treat this cycle as priority patching — starting with the SAML wrapping and RFC memory corruption flaws — and audit which RFC endpoints are reachable from untrusted networks while updates roll out.
