SAP Security Patch Day – July 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
SAP security should remain a key priority, that much is clear. Although this month’s patch volume is not exceptionally high, it once again highlights the risks of postponing security updates. How many times we see breaches that can be tracked back to a missing patch? Applying patches asap remains one of the most effective ways to reduce exposure to known vulnerabilities and limit the attack surface across SAP landscapes.
This month’s SAP Security Patch Day includes 16 new Security Notes released today, together with 4 updates issued between patch days. All of these should be carefully assessed. Below, we highlight the most relevant notes from July and explain what they could mean for your SAP landscape.
SAP environments continue to grow in complexity, often combining on-premise systems, cloud services, and hybrid architectures. As a result, patch management has become far more than a routine maintenance activity. With many interconnected components and dependencies, patching can be time-consuming, resource-intensive, and difficult to coordinate, increasing the risk that important fixes are delayed or overlooked. At SecurityBridge, we understand these challenges.
The SecurityBridge Patch Management for SAP solution helps organizations identify missing patches across their SAP landscape while providing clear visibility, impact analysis, and automated implementation support. By delivering a system-wide overview, it helps accelerate patching cycles, reduce operational effort, and strengthen continuous threat monitoring, contributing to a more secure and resilient SAP environment throughout 2026.
HotNews
As always, we’ll start with the HotNews notes, the highest-priority category. This month, we have 4 notes to consider in this category.
3747367 – Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP
This vulnerability concerns all SICF nodes that have the interactive GUI setting active (SAP GUI for HTML). Normally, that is the tree /sap/bc/gui and all the subsides but it concerns any other with this setting active as well. The fix is provided via a kernel patch which means there is downtime involved. This is often a reason why patches are not immediately applied!. Apply the kernel patch or consider the workaround to deactivate all relevant nodes. See FAQ note 3779058 for additional information.
For SecurityBridge users: active ICF nodes can be easily found via the Security & Compliance monitor > tools > ICF Services. This is a great help to apply assess the impact of this note and to apply the workaround.
3720138 – HTTP Request Smuggling in SAP Approuter
This HTTP Request Smuggling vulnerability concerns the SAP Approuter. Perhaps a component that is not too familiar for technical administrators. Nevertheless, the Approuter often plays a vital role in BTP connectivity and this vulnerability can have a large impact on confidentially and availability. In this case, Approuters are affected that do not run in Cloud Foundry. See note 3770203 for additional information concerning XSUAA.
Make sure to update relevant Approuter deployments with the updated Node.js package.
3753495 – Insecure Sample Credentials in SAP Commerce Cloud
This vulnerability is catalogued as a ‘documentation error’ but make no mistake, it is a HotNews note for a reason! On SAP Commerce Cloud, a sample OAuth2 client may exist with a well-known set of credentials that gives access to the system. This client may be there because of delivered scripts. Make sure the client trusted_client does not exist or has at least updated (not-well known) credentials. See FAQ note 3758007 for additional information.
3727078 – Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
The note has earlier released and now updated with support package and patch information. Check if this update applies to your landscape now.
High-Priority Notes
Next up is the High Priority category. A level lower than HotNews but no reason to consider these notes as unimportant. There are 6 notes in this category this month, see the highlights below:
3758101 – Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell)
Various vulnerabilities have been found in Apache Camel, which is the foundation for SAP Cloud Integration. As a PaaS offering, these vulnerabilities are taken care off by SAP in Cloud Integration but for the Edge Integration Cell, the updated version of Integration Cell needs to be applied by the customer. There is a workaround available but the update is – as always – the way to go forward.
3692165 – DLL Hijacking vulnerability in SAProuter on Microsoft Windows
The SAPRouter component exists already for a long time in SAP landscapes and facilitates RFC traffic. A vulnerability has been found that allows DLL hijacking. It is relevant for Windows-based SAPRouter installations (obviously) and requires an updated version of the SAPRouter.
The note also advises other security measures which are very relevant to consider!
3763800 – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Various vulnerabilities have been found on SAP Commerce Cloud which are all related to the Apache Tomcat server that is used underneath. See the note for the instructions on how to update for either Public Cloud or on-premise situations. Workaround are available. See FAQ note 3768608 for additional information.
3741519 – Open Redirect vulnerability in SAP Approuter
The Approuter was already subject to one of the HotNews security notes. But also for this redirect vulnerability. Make sure to update to the mentioned version. But also: configure the redirect-urls in a strict way as mentioned by the note. This is a manual activity!
3773304 – Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach)
The ctsattach tool has a deserialization issue which may lead to remote code execution. The tool is no longer available and should no longer be used. Make sure to delete all versions of it according to the note. See note 2473648 for additional information.
Medium- and Low-Priority Notes
As we see almost every patch cycle, the majority of security notes fall into the Medium or Low category. This time 8 and 2 respectively. These issues can typically be resolved by simply applying the supplied patches. We highlight additional key findings below, and for a full breakdown, please scroll to the end of this post.
3732522 – Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)
This vulnerability concerns the User Self Service in a HANA XS classic setup. Apply the patch (preferred) or disable the user self service functionality as a workaround.
SAP Security Notes July 2026
Highlights
A relative high number of HotNews and High priority notes for the month of July
Summary by Severity
The July release contains a total of 20 patches for the following severities:
| Severity | Number | Hot News | 4 |
|---|---|
High | 6 |
Medium | 8 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3747367 | [CVE-2026-44747] Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP Priority: HotNews Released on: 7/14/26 Components: BC-FES-ITS Category: Program error | Hot News | 9.9 |
| 3753495 | [CVE-2026-44761] Insecure Sample Credentials in SAP Commerce Cloud Priority: HotNews Released on: 7/14/26 Components: CEC-SCC-COM-BC-OCC Category: Documentation error | Hot News | 9.1 |
| 3720138 | [CVE-2026-27690] HTTP Request Smuggling in SAP Approuter Priority: HotNews Released on: 7/14/26 Components: BC-XS-APR Category: Program error | Hot News | 9.1 |
| 3727078 | [CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) Priority: HotNews Released on: 6/9/26 Components: BC-JAS-WEB Category: Program error | Hot News | 9.0 |
| 3758101 | [CVE-2026-40860] Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell) Priority: Correction with high priority Released on: 7/14/26 Components: LOD-HCI-PI-CON-SOAP Category: Program error | High | 8.8 |
| 3692165 | [CVE-2026-0487] DLL Hijacking vulnerability in SAProuter on Microsoft Windows Priority: Correction with high priority Released on: 7/14/26 Components: BC-CST-NI Category: Program error | High | 8.4 |
| 3748227 | [CVE-2026-44752] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard) Priority: Correction with high priority Released on: 7/14/26 Components: BC-INS-CTC-RT Category: Program error | High | 8.2 |
| 3741519 | [CVE-2026-44745] Open Redirect vulnerability in SAP Approuter Priority: Correction with high priority Released on: 7/14/26 Components: BC-CP-APR Category: Program error | High | 8.1 |
| 3763800 | [Multiple CVEs] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Priority: Correction with high priority Released on: 7/14/26 Components: CEC-SCC-PLA-PL Category: Program error | High | 8.1 |
| 3773304 | [CVE-2026-58233] Remote Code Execution vulnerability in SAP Change and Transport SystemÊAttach Tool (ctsattach) Priority: Correction with high priority Released on: 7/14/26 Components: BC-CTS-TMS-PLS Category: Program error | High | 7.6 |
| 3692004 | [CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 4/14/26 Components: BC-FES-ITS Category: Program error | Medium | 6.1 |
| 3746678 | [CVE-2026-44759] Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 7/14/26 Components: EP-PIN-AI-SRA Category: Program error | Medium | 6.1 |
| 3537373 | [CVE-2026-44769] SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) Priority: Correction with medium priority Released on: 7/14/26 Components: PPM-PRO Category: Program error | Medium | 5.5 |
| 3754659 | [CVE-2026-44760] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) Priority: Correction with medium priority Released on: 7/14/26 Components: BC-BSP Category: Program error | Medium | 4.7 |
| 3515598 | [CVE-2026-44771] Missing Authorization check in SAP S/4HANA (Draft operation) Priority: Correction with medium priority Released on: 7/14/26 Components: FIN-FSCM-CLM-COP Category: Program error | Medium | 4.3 |
| 3713902 | [CVE-2026-44770] Missing Authorization check in SAP S/4 HANA (Create Single Payment) Priority: Correction with medium priority Released on: 7/14/26 Components: FI-FIO-AP-PAY Category: Program error | Medium | 4.3 |
| 3682699 | [CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad) Priority: Correction with medium priority Released on: 6/9/26 Components: CA-FLP-FE-COR Category: Program error | Medium | 4.2 |
| 3155685 | [CVE-2026-44768] Security misconfiguration in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 7/14/26 Components: CA-WUI-UI Category: Program error | Medium | 4.1 |
| 3732522 | [CVE-2026-44753] - Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service) Priority: Correction with low priority Released on: 7/14/26 Components: HAN-AS-XS Category: Program error | Low | 3.7 |
| 3726899 | [CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java Priority: Correction with low priority Released on: 6/9/26 Components: BC-JAS-SEC-UME Category: Program error | Low | 3.3 |
