SAP Patches Critical Code Injection Flaws in S/4HANA and Commerce Cloud

SAP has released 15 security notes as part of its May 2026 Security Patch Day, including fixes for two critical vulnerabilities carrying CVSS scores of 9.6 in S/4HANA and Commerce Cloud.

The S/4HANA flaw, tracked as CVE-2026-34260, is an SQL injection caused by missing input validation and sanitization. An authenticated attacker can inject malicious SQL statements to read data, impacting application confidentiality and availability. While the vulnerable code limits exploitation to read access, the critical severity reflects the potential scope of data exposure in enterprise environments running S/4HANA.

The Commerce Cloud vulnerability, tracked as CVE-2026-34263, is more severe in practical terms. A missing authentication check in the cloud configuration — caused by overly permissive security rules with improper rule ordering — allows an unauthenticated attacker to upload malicious configurations and inject code, resulting in arbitrary server-side code execution with no authentication required.

SAP also patched a high-severity OS command injection flaw in Forecasting & Replenishment (CVE-2026-34259) that could allow authenticated attackers to execute arbitrary operating system commands. The remaining 12 security notes address medium and low-severity issues across NetWeaver, BusinessObjects, SAPUI5, Financial Consolidation, and other products.

None of the vulnerabilities have been reported as exploited in the wild. However, the patches arrive less than two weeks after four SAP npm packages were compromised as part of the Mini Shai-Hulud supply chain campaign, which affected over 1,800 developers — making this a particularly high-urgency patch cycle for SAP shops.

Action Items

Prioritize CVE-2026-34263 in Commerce Cloud immediately — unauthenticated RCE with no user interaction is as bad as it gets. CVE-2026-34260 in S/4HANA should follow closely given the breadth of data accessible via SQL injection in ERP environments. Review Forecasting & Replenishment deployments for CVE-2026-34259. Organizations that were also affected by the recent Mini Shai-Hulud campaign targeting SAP npm packages should treat this patch cycle as part of a broader SAP security review.