SAP Security Patch Day – January 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
The start of a new year brings a fresh set of priorities, but SAP security shouldn’t be one you postpone. Patch volumes remain consistently high, and applying them quickly is still one of the most effective ways to reduce exposure to known vulnerabilities. SAP released 17 new Security Notes in this first Patch Tuesday of the year and has updated 2 existing notes. We’ll break them down below.
SAP landscapes continue to evolve rapidly across on-premise, cloud, and hybrid environments — making effective patch management far more complex than “just patch.” With so many components and dependencies, patching can become a tedious, time-consuming process where critical updates are easy to miss. At SecurityBridge, we understand these challenges better than anyone. Our SecurityBridge Patch Management for SAP solution helps you identify missing patches across your SAP landscape, delivering clear visibility, impact analysis, and automated implementation. With a system-wide overview, it dramatically shortens the time needed to apply updates and monitor threats in real time—helping you start 2026 with a more secure and resilient SAP environment.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform — we’re also deeply invested in ongoing research within the SAP security domain. We have done so in 2025 and continue this way forward the coming year.
For this month’s release, our latest discoveries are:
Security notes - January 2026
HotNews
Let’s start with HotNews, the highest-priority category. There are 6 notes in total — 4 newly released today and 2 updates.
3687749 – SQL Injection in SAP S/4HANA (Financials – General Ledger)
Insufficient validation allows an authenticated user to run crafted SQL that can read/modify/delete backend DB data. A key prerequisite for this vulnerability is an incorrect configuration of authorization object S_RFC. The workaround is to correct S_RFC but the vulnerability needs to be fixed by patching. A prime example of the importance of this authorization object for SAP Security. See also FAQ note 3700593.
3668679 – Remote Code Execution in SAP Wily Introscope Enterprise Manager
The risk here is outright remote code execution. The note describes a scenario where an attacker can craft a malicious JNLP file that leads to execution on the target side. If you run Introscope EM, this can probably be patched fast without considerable impact. Or consider the workaround. See also FAQ note 3702381.
3697979 – Code Injection in SAP Landscape Transformation
An attacker with administrative access can exploit an RFC-exposed function module to inject arbitrary ABAP/OS commands, turning a trusted integration component into an execution path. The guidance is straightforward: implement SAP’s correction so those calls can’t be weaponized for injection and execution. There is no workaround, see also FAQ note 3698186.
3694242 – Code Injection in SAP S/4HANA (Private Cloud & On-Premise)
Very much like note 3697979, this note describes how an attacker with admin privileges can abuse an RFC-exposed function module to inject arbitrary ABAP code and OS commands, effectively bypassing critical authorization controls. The remediation is simple: apply SAP’s correction, see also FAQ note 3698254.
3683579 – Multiple Apache Tomcat Vulnerabilities in SAP Commerce Cloud
Remember this note from previous month? It has been revised on the symptom and solution. Also, a workaround is described. If you use SAP Commerce Cloud, make sure to double check the note.
3685286 – Deserialization Vulnerability in SAP jConnect (SDK for ASE)
This note also stems from last months Patch Day and has only been updated slightly with a reference note (3693119).
High-Priority Notes
We only have 4 High-priority notes this month which have all been newly released. Although these are 1 category below HotNews, they are still important. We highlight the following:
3691059 – Privilege Escalation in SAP HANA Database
This note only concerns SAP HANA 2.0 SP7 and SP8 and allows an attacker to leverage a weakness to switch to another user and potentially gain administrative access. Patching the system is the only remediation.
3675151 – OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK
An attacker with administrative access (and the network adjacency described in the note) can inject OS commands through the vulnerable interface. A kernel update is required to fix this. The vulnerability also affects the NetWeaver RFCSDK which means that any custom developments using this SDK need to be updated as well!
3565506 – Multiple Vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation). This note addresses not 1 but 3 vulnerabilities in the SAP Fiori App Intercompany Balance Reconciliation. There is a workaround but – as always – applying the patch is the way forward. See also the other security notes – with lower priority – regarding this app.
Medium- and Low-Priority Notes
This Patch Tuesday, 9 notes fall into the Medium or Low category. See below for some highlights and for a full breakdown, scroll to the end of this post.
3666061 – XSS in SAP Business Connector
An attacker can lure users into clicking a malicious URL that triggers script execution and can lead to unauthorized access/changes in the web client context. We have seen a number of security notes for the SAP Business Connector last year and this is another one. A gentle reminder that the Business Connector is still around!
3638716 – Open Redirect in SAP SRM (Catalog SICF Handler)
An unauthenticated attacker can craft a URL that redirects victims to an attacker-controlled destination. SAP’s fix is input URL validation; the note also lists post-implementation steps/configuration that must be completed.
3593356 – Obsolete Encryption Algorithm in NW AS Java UME User Mapping
An obsolete crypto algorithm leaves encrypted user mapping data vulnerable and is fixed by applying the patch AND manually converting the data. Do not forget this last step to be secure!
SAP Security Notes January 2026
Highlights
Multiple HotNews notes to review at the start of 2026.
Summary by Severity
The January release contains a total of 19 patches for the following severities:
| Severity | Number | Hot News | 6 |
|---|---|
High | 4 |
Medium | 7 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3687749 | [CVE-2026-0501] SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) Priority: HotNews Released on: 1/13/26 Components: FI-GL-GL-G Category: Program error | Hot News | 9.9 |
| 3683579 | Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Priority: HotNews Released on: 12/9/25 Components: CEC-SCC-PLA-PL Category: Program error | Hot News | 9.6 |
| 3668679 | [CVE-2026-0500] Remote code execution in SAP Wily Introscope Enterprise Manager (WorkStation) Priority: HotNews Released on: 1/13/26 Components: SV-SMG-DIA-WLY Category: Program error | Hot News | 9.6 |
| 3685286 | [CVE-2025-42928] Deserialization Vulnerability in SAP jConnect - SDK for ASE Priority: HotNews Released on: 12/9/25 Components: BC-SYB-SDK Category: Program error | Hot News | 9.1 |
| 3694242 | [CVE-2026-0498] Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise) Priority: HotNews Released on: 1/13/26 Components: CA-DT-ANA Category: Program error | Hot News | 9.1 |
| 3697979 | [CVE-2026-0491] Code Injection vulnerability in SAP Landscape Transformation Priority: HotNews Released on: 1/13/26 Components: CA-LT-ANA Category: Program error | Hot News | 9.1 |
| 3691059 | [CVE-2026-0492] Privilege escalation vulnerability in SAP HANA database Priority: Correction with high priority Released on: 1/13/26 Components: HAN-DB-SEC Category: Program error | High | 8.8 |
| 3675151 | [CVE-2026-0507] OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK Priority: Correction with high priority Released on: 1/13/26 Components: BC-MID-RFC-SDK Category: Program error | High | 8.4 |
| 3565506 | [CVE-2026-0511] Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation) Priority: Correction with high priority Released on: 1/13/26 Components: FI-LOC-FI-RU Category: Correction of legal function | High | 8.1 |
| 3688703 | [CVE-2026-0506] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with high priority Released on: 1/13/26 Components: BC-DWB-DIC-F4 Category: Program error | High | 8.1 |
| 3681523 | [CVE-2026-0503] Missing Authorization check in SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) Priority: Correction with medium priority Released on: 1/13/26 Components: EHS-SAF Category: Program error | Medium | 6.4 |
| 3666061 | [CVE-2026-0514] Cross-Site Scripting (XSS) vulnerability in SAP Business Connector Priority: Correction with medium priority Released on: 1/13/26 Components: BC-MID-BUS Category: Program error | Medium | 6.1 |
| 3687372 | [CVE-2026-0499] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 1/13/26 Components: EP-PIN-NAV Category: Program error | Medium | 6.1 |
| 3638716 | [CVE-2026-0513] Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Priority: Correction with medium priority Released on: 1/13/26 Components: SRM-EBP-CAT Category: Program error | Medium | 4.7 |
| 3677111 | [CVE-2026-0497] Missing Authorization check in Business Server Pages Application (Product Designer Web UI) Priority: Correction with medium priority Released on: 1/13/26 Components: PLM-PPM-PDN Category: Program error | Medium | 4.3 |
| 3655227 | [CVE-2026-0494] Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) Priority: Correction with medium priority Released on: 1/13/26 Components: FI-LOC-FI-RU Category: Correction of legal function | Medium | 4.3 |
| 3655229 | [CVE-2026-0493] Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) Priority: Correction with medium priority Released on: 1/13/26 Components: FI-LOC-FI-RU Category: Correction of legal function | Medium | 4.3 |
| 3657998 | [CVE-2026-0504] Insufficient Input Handling in JNDI Operations of SAP Identity Management Priority: Correction with low priority Released on: 1/13/26 Components: BC-IAM-IDM Category: Program error | Low | 3.8 |
| 3593356 | [CVE-2026-0510] Obsolete Encryption Algorithm Used in NW AS Java UME User Mapping Priority: Correction with low priority Released on: 1/13/26 Components: BC-JAS-SEC-UME Category: Program error | Low | 3.0 |
