Skip to content

SAP Security Patch Day – July 2026

Gert Jan
Gert-Jan Koster
SAP Security specialist
July 14, 2026
8 min read

Chapters

Share Article

Let's Talk SAP Security

Have questions about SAP Security? We’re here to help. Contact Us

Text Base Post Article

SAP security should remain a key priority, that much is clear. Although this month’s patch volume is not exceptionally high, it once again highlights the risks of postponing security updates. How many times we see breaches that can be tracked back to a missing patch? Applying patches asap remains one of the most effective ways to reduce exposure to known vulnerabilities and limit the attack surface across SAP landscapes.

This month’s SAP Security Patch Day includes 16 new Security Notes released today, together with 4 updates issued between patch days. All of these should be carefully assessed. Below, we highlight the most relevant notes from July and explain what they could mean for your SAP landscape.

SAP environments continue to grow in complexity, often combining on-premise systems, cloud services, and hybrid architectures. As a result, patch management has become far more than a routine maintenance activity. With many interconnected components and dependencies, patching can be time-consuming, resource-intensive, and difficult to coordinate, increasing the risk that important fixes are delayed or overlooked. At SecurityBridge, we understand these challenges.

The SecurityBridge Patch Management for SAP solution helps organizations identify missing patches across their SAP landscape while providing clear visibility, impact analysis, and automated implementation support. By delivering a system-wide overview, it helps accelerate patching cycles, reduce operational effort, and strengthen continuous threat monitoring, contributing to a more secure and resilient SAP environment throughout 2026.

HotNews

As always, we’ll start with the HotNews notes, the highest-priority category. This month, we have 4 notes to consider in this category.

3747367 – Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP

This vulnerability concerns all SICF nodes that have the interactive GUI setting active (SAP GUI for HTML). Normally, that is the tree /sap/bc/gui and all the subsides but it concerns any other with this setting active as well. The fix is provided via a kernel patch which means there is downtime involved. This is often a reason why patches are not immediately applied!. Apply the kernel patch or consider the workaround to deactivate all relevant nodes. See FAQ note 3779058 for additional information.

For SecurityBridge users: active ICF nodes can be easily found via the Security & Compliance monitor > tools > ICF Services. This is a great help to apply assess the impact of this note and to apply the workaround.

3720138 – HTTP Request Smuggling in SAP Approuter

This HTTP Request Smuggling vulnerability concerns the SAP Approuter. Perhaps a component that is not too familiar for technical administrators. Nevertheless, the Approuter often plays a vital role in BTP connectivity and this vulnerability can have a large impact on confidentially and availability. In this case, Approuters are affected that do not run in Cloud Foundry. See note 3770203 for additional information concerning XSUAA.

Make sure to update relevant Approuter deployments with the updated Node.js package.

3753495 – Insecure Sample Credentials in SAP Commerce Cloud

This vulnerability is catalogued as a ‘documentation error’ but make no mistake, it is a HotNews note for a reason! On SAP Commerce Cloud, a sample OAuth2 client may exist with a well-known set of credentials that gives access to the system. This client may be there because of delivered scripts. Make sure the client trusted_client does not exist or has at least updated (not-well known) credentials. See FAQ note 3758007 for additional information.

3727078 – Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

The note has earlier released and now updated with support package and patch information. Check if this update applies to your landscape now.


High-Priority Notes

Next up is the High Priority category. A level lower than HotNews but no reason to consider these notes as unimportant. There are 6 notes in this category this month, see the highlights below:

3758101 – Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell)

Various vulnerabilities have been found in Apache Camel, which is the foundation for SAP Cloud Integration. As a PaaS offering, these vulnerabilities are taken care off by SAP in Cloud Integration but for the Edge Integration Cell, the updated version of Integration Cell needs to be applied by the customer. There is a workaround available but the update is – as always – the way to go forward.

3692165 – DLL Hijacking vulnerability in SAProuter on Microsoft Windows

The SAPRouter component exists already for a long time in SAP landscapes and facilitates RFC traffic. A vulnerability has been found that allows DLL hijacking. It is relevant for Windows-based SAPRouter installations (obviously) and requires an updated version of the SAPRouter. 

The note also advises other security measures which are very relevant to consider!

3763800 – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud

Various vulnerabilities have been found on SAP Commerce Cloud which are all related to the Apache Tomcat server that is used underneath. See the note for the instructions on how to update for either Public Cloud or on-premise situations. Workaround are available. See FAQ note 3768608 for additional information.

3741519 – Open Redirect vulnerability in SAP Approuter

The Approuter was already subject to one of the HotNews security notes. But also for this redirect vulnerability. Make sure to update to the mentioned version. But also: configure the redirect-urls in a strict way as mentioned by the note. This is a manual activity!

3773304 – Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach)

The ctsattach tool has a deserialization issue which may lead to remote code execution. The tool is no longer available and should no longer be used. Make sure to delete all versions of it according to the note. See note 2473648 for additional information.

 

Medium- and Low-Priority Notes

As we see almost every patch cycle, the majority of security notes fall into the Medium or Low category. This time 8 and 2 respectively. These issues can typically be resolved by simply applying the supplied patches. We highlight additional key findings below, and for a full breakdown, please scroll to the end of this post.

3732522 – Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)

This vulnerability concerns the User Self Service in a HANA XS classic setup. Apply the patch (preferred) or disable the user self service functionality as a workaround.

 

SAP Security Notes July 2026

Highlights

A relative high number of HotNews and High priority notes for the month of July

Summary by Severity

The July release contains a total of 20 patches for the following severities:

   
       
                   

               

         
     
 
SeverityNumber
Hot News
4
High
6
Medium
8
Low
2
       
   
NoteDescriptionSeverityCVSS
3747367[CVE-2026-44747] Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP
Priority: HotNews
Released on: 7/14/26
Components: BC-FES-ITS
Category: Program error
Hot News9.9
3753495[CVE-2026-44761] Insecure Sample Credentials in SAP Commerce Cloud
Priority: HotNews
Released on: 7/14/26
Components: CEC-SCC-COM-BC-OCC
Category: Documentation error
Hot News9.1
3720138[CVE-2026-27690] HTTP Request Smuggling in SAP Approuter
Priority: HotNews
Released on: 7/14/26
Components: BC-XS-APR
Category: Program error
Hot News9.1
3727078[CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
Priority: HotNews
Released on: 6/9/26
Components: BC-JAS-WEB
Category: Program error
Hot News9.0
3758101[CVE-2026-40860] Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell)
Priority: Correction with high priority
Released on: 7/14/26
Components: LOD-HCI-PI-CON-SOAP
Category: Program error
High8.8
3692165[CVE-2026-0487] DLL Hijacking vulnerability in SAProuter on Microsoft Windows
Priority: Correction with high priority
Released on: 7/14/26
Components: BC-CST-NI
Category: Program error
High8.4
3748227[CVE-2026-44752] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard)
Priority: Correction with high priority
Released on: 7/14/26
Components: BC-INS-CTC-RT
Category: Program error
High8.2
3741519[CVE-2026-44745] Open Redirect vulnerability in SAP Approuter
Priority: Correction with high priority
Released on: 7/14/26
Components: BC-CP-APR
Category: Program error
High8.1
3763800[Multiple CVEs] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Priority: Correction with high priority
Released on: 7/14/26
Components: CEC-SCC-PLA-PL
Category: Program error
High8.1
3773304[CVE-2026-58233] Remote Code Execution vulnerability in SAP Change and Transport SystemÊAttach Tool (ctsattach)
Priority: Correction with high priority
Released on: 7/14/26
Components: BC-CTS-TMS-PLS
Category: Program error
High7.6
3692004[CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP
Priority: Correction with medium priority
Released on: 4/14/26
Components: BC-FES-ITS
Category: Program error
Medium6.1
3746678[CVE-2026-44759] Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 7/14/26
Components: EP-PIN-AI-SRA
Category: Program error
Medium6.1
3537373[CVE-2026-44769] SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO)
Priority: Correction with medium priority
Released on: 7/14/26
Components: PPM-PRO
Category: Program error
Medium5.5
3754659[CVE-2026-44760] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)
Priority: Correction with medium priority
Released on: 7/14/26
Components: BC-BSP
Category: Program error
Medium4.7
3515598[CVE-2026-44771] Missing Authorization check in SAP S/4HANA (Draft operation)
Priority: Correction with medium priority
Released on: 7/14/26
Components: FIN-FSCM-CLM-COP
Category: Program error
Medium4.3
3713902[CVE-2026-44770] Missing Authorization check in SAP S/4 HANA (Create Single Payment)
Priority: Correction with medium priority
Released on: 7/14/26
Components: FI-FIO-AP-PAY
Category: Program error
Medium4.3
3682699[CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad)
Priority: Correction with medium priority
Released on: 6/9/26
Components: CA-FLP-FE-COR
Category: Program error
Medium4.2
3155685[CVE-2026-44768] Security misconfiguration in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 7/14/26
Components: CA-WUI-UI
Category: Program error
Medium4.1
3732522[CVE-2026-44753] - Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)
Priority: Correction with low priority
Released on: 7/14/26
Components: HAN-AS-XS
Category: Program error
Low3.7
3726899[CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java
Priority: Correction with low priority
Released on: 6/9/26
Components: BC-JAS-SEC-UME
Category: Program error
Low3.3