SAP Security Patch Day – April 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As we move into April, the year continues to gain momentum — and SAP security should remain a top priority. While this month’s patch volume is not exceptionally high, it serves as yet another reminder that postponing security updates is never a sound strategy. Timely patching remains one of the most effective ways to reduce exposure to known vulnerabilities and minimize the attack surface across SAP landscapes.
This month’s SAP Security Patch Day delivered 22 Security Notes (including updates and interim releases) that should be carefully reviewed. Every ‘Patch Day’ introduces fixes that may impact different areas of the SAP environment, and even a moderate release can include notes with significant security implications. Below, we highlight the most relevant notes from April and explain what they could mean for your SAP landscape.
Our SecurityBridge Patch Management for SAP solution helps you identify missing patches across your SAP landscape, providing clear visibility, impact analysis, and automated implementation support. With a system-wide overview, it helps shorten patching cycles and strengthen continuous threat monitoring supporting a more secure and resilient SAP environment throughout 2026.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform we are also deeply committed to ongoing research within the SAP security domain.
For this month’s release, our latest discoveries include
HotNews
Let’s start with HotNews, the highest-priority category. This month, only 1 note has been released.
3719353 – SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse
In the affected SAP components, an authenticated user can execute SQL statements to read, modify, and delete database data. The severity of this vulnerability speaks for itself and requires no further explanation. Apply the fix (preferred) or implement the workaround by revoking the S_GUI authorization object with Activity 60 from user accounts.
High-Priority Notes
We only have 2 High-priority notes this month. One note (3678282) has been updated earlier in March with only textual changes. For the other note, see below:
3731908 — Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
This vulnerability concerns a missing authorization check that allows an attacker to overwrite certain ABAP reports. Apply the fix or the workaround to programs RGJVCORG and RGJVCORX. The fix – as always – is the preferred solution.
Medium- and Low-Priority Notes
As is often the case, the majority of security notes fall into the Medium or Low category — 17 and 2 respectively this month. More than half of these relate to missing authorization checks, which continue to pose significant security risks. These issues can typically be resolved by simply applying the supplied patches. We highlight additional key findings below, and for a full breakdown, please scroll to the end of this post.
3696239 – Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform
This vulnerability is caused by an embedded vulnerable library within the software. The use of outdated or vulnerable third-party libraries is a common source of security issues, and these continue to reappear month after month. In this case, it affects the Apache Struts library, which must be updated to a newer version. Apply the specified SBOP patches to mitigate the risk.
3692004 – Open Redirect vulnerability in SAP NetWeaver Application Server ABAP
This “open redirect” vulnerability requires not only patching but also additional manual steps if RFID devices or older versions are in use. Make sure to carry out all required actions to fully mitigate the risk.
3730639 – Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer
SAP Security Notes April 2026
Highlights
An average number of security notes for April 2026 with many security notes because of missing authorization checks.
Summary by Severity
The April release contains a total of 22 patches for the following severities:
| Severity | Number | Hot News | 1 |
|---|---|
High | 2 |
Medium | 17 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3719353 | [CVE-2026-27681] SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse Priority: HotNews Released on: 4/14/26 Components: EPM-BPC-NW-SQE Category: Program error | Hot News | 9.9 |
| 3678282 | [CVE-2026-0485] Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform Priority: Correction with high priority Released on: 2/10/26 Components: BI-BIP-SRV Category: Program error | High | 7.5 |
| 3731908 | [CVE-2026-34256] Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) Priority: Correction with high priority Released on: 4/14/26 Components: CA-JVA-JVA Category: Program error | High | 7.1 |
| 3715177 | [CVE-2026-27678] Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures) Priority: Correction with medium priority Released on: 4/14/26 Components: PM-EQM-RS Category: Program error | Medium | 6.5 |
| 3715097 | [CVE-2026-27677] Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment) Priority: Correction with medium priority Released on: 4/14/26 Components: PM-EQM-EQ Category: Program error | Medium | 6.5 |
| 3680767 | [CVE-2026-34264] Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA Priority: Correction with medium priority Released on: 4/14/26 Components: PA-PA-XX Category: Program error | Medium | 6.5 |
| 3705094 | [CVE-2026-34261] Missing Authorization check in SAP Business Analytics and SAP Content Management Priority: Correction with medium priority Released on: 4/14/26 Components: PA-OS Category: Program error | Medium | 6.5 |
| 3716767 | [CVE-2026-27679] Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures) Priority: Correction with medium priority Released on: 4/14/26 Components: PM-EQM-RS Category: Program error | Medium | 6.5 |
| 3696239 | [CVE-2025-64775] Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 4/14/26 Components: BI-BIP-SEC Category: Program error | Medium | 6.5 |
| 3689080 | [CVE-2026-24316] Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 3/10/26 Components: BC-TWB-TST-ECA Category: Program error | Medium | 6.4 |
| 3645228 | [CVE-2026-0512] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Priority: Correction with medium priority Released on: 4/14/26 Components: SRM-EBP-CAT Category: Program error | Medium | 6.1 |
| 3692004 | [CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 4/14/26 Components: BC-FES-ITS Category: Program error | Medium | 6.1 |
| 3719397 | [CVE-2026-27674] Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java) Priority: Correction with medium priority Released on: 4/14/26 Components: BC-WD-JAV Category: Program error | Medium | 6.1 |
| 3730639 | [CVE-2026-34262] Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer Priority: Correction with medium priority Released on: 4/14/26 Components: HAN-CPT-CPT2-DBX Category: Program error | Medium | 5.0 |
| 3703813 | [CVE-2026-27673] Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise) Priority: Correction with medium priority Released on: 4/14/26 Components: IS-U-TO-MI Category: Program error | Medium | 4.9 |
| 3530544 | [CVE-2025-42899] Missing Authorization check in SAP S4CORE (Manage Journal Entries) Priority: Correction with medium priority Released on: 11/11/25 Components: FI-FIO-GL-TRA Category: Program error | Medium | 4.3 |
| 3703276 | [CVE-2026-27672] Missing Authorization check in Material Master Application Priority: Correction with medium priority Released on: 4/14/26 Components: SCM-BAS-INT-MD Category: Program error | Medium | 4.3 |
| 3711682 | [CVE-2026-27676] Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures) Priority: Correction with medium priority Released on: 4/14/26 Components: PM-EQM-RS Category: Program error | Medium | 4.3 |
| 3702191 | [CVE-2026-24318] Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 4/14/26 Components: BI-BIP-INV Category: Program error | Medium | 4.2 |
| 3698216 | [CVE-2026-27683] Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 4/14/26 Components: BI-BIP-INV Category: Program error | Medium | 4.1 |
| 3665042 | [CVE-2026-27680] CSS Injection vulnerability in SAP NetWeaver Application Server ABAP Priority: Correction with low priority Released on: 3/10/26 Components: BC-WD-UR Category: Program error | Low | 3.1 |
| 3723097 | [CVE-2026-27675] Code Injection vulnerability in SAP Landscape Transformation Priority: Correction with low priority Released on: 4/14/26 Components: CA-LT-PCL Category: Program error | Low | 2.0 |
