SAP Security Patch Day – June 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As June gets underway, SAP security should remain a key priority! While this month’s patch volume is not unusually high, it is still an important reminder that delaying security updates can introduce unnecessary risk. Applying patches in a timely manner remains one of the most effective ways to reduce exposure to known vulnerabilities and limit the attack surface across SAP landscapes.
This month’s SAP Security Patch Day includes 15 new Security Notes released today, along with 5 in-between note releases or updates, all of which should be carefully reviewed. Every Patch Day can introduce fixes that affect different areas of the SAP environment, and even a moderate release may contain notes with important security implications. Below, we outline the most relevant notes from June and what they could mean for your SAP landscape.
SAP environments continue to become more complex, often in a hybrid architecture, including on-premise systems and cloud services. This makes patch management much more than a routine maintenance task. With numerous interconnected components and dependencies, patching can become time-consuming, resource-intensive, and difficult to coordinate. With the increasing risk that critical fixes are overlooked. At SecurityBridge, we recognize these challenges.
The SecurityBridge Patch Management for SAP solution helps organizations identify missing patches across their SAP landscape, offering clear visibility, impact analysis, and automated implementation support. By providing a system-wide overview, it helps accelerate patching cycles and strengthen continuous threat monitoring, contributing to a more secure and resilient SAP environment throughout 2026.
HotNews
As always, we’ll start with the HotNews notes, the highest-priority category. This month, we have 6 notes to consider in this category.
3746332 – XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform
This vulnerability allows a user to tamper with XML signatures so identity can be misrepresented. This issue can be fixed by disabling SAML authentication altogether but the permanent fix is – off course – to apply the correction to the relevant ABAP system in the landscape. See FAQ note 3751245 for additional information.
3717897 – Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform
ABAP-based systems use the RFC protocol, a proprietary SAP protocol used for over 30 years. This vulnerability concerns improper validation of RFC requests that can lead to memory corruption with serious consequential impact. The fix requires a kernel update, so plan this update accordingly. There is no workaround, see FAQ note 3746936 for additional information.
3748262 – Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub
Every patch cycle, we see vulnerabilities come by that are based on the use of insecure 3rd party libraries or frameworks. Because of this, the software that makes use of these components need an update as well. The same applies to this patch on SAP Commerce Cloud and Data Hub; because of an issue in Sprint Security, these software stacks must be updated. There is no workaround, see FAQ note 3761279 for additional information.
3727078 – Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
A well-known tactic is the so-called ‘path traversal’ attack. This is basically an attack where files, directories or code is accessed outside of the intended context. This vulnerability is of this category. It allows ‘malicious’ HTTP logon requests to access the file system level and processing of files which can have serious impact. There is no workaround, apply the patch to remediate. See FAQ note 3758864 for additional information.
3733064 – Missing authentication check in SAP Commerce Cloud configuration
This note was released as part of the May release last month. It has been updated with textual changes only, so no real additional security risks to consider.
3747787 – Malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool
Remember this note from last month? SAP released this one as ‘HotNews’ but also with a CVSS score of 0.0. That has not changed but what has changed, is that another malicous npm package has been identified. So again: if you make use of npm packages, make sure to double check according to the latest update in the note!
High-Priority Notes
Next up is the High Priority category. A level lower than HotNews but no reason to consider these notes as unimportant. There are 3 notes in this category this month.
3732471 – OS Command Injection Vulnerability in SAP Forecasting & Replenishment
This note has been updated slightly with new information about support packages and correction instructions for SCM. Make sure to double check if these versions are relevant for your SCM landscape.
3747484 – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Another note concerning SAP Commerce Cloud and another example of issues because 3rd party libraries are used! This time, it is – again – Apache Tomcat causing the issues by having multiple vulnerabilities. Patching is the remedy, see FAQ note 3761235 for additional information.
3735546 – Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform
This vulnerability with High Priority simply requires the patch to be applied. Sometimes, it is just this easy and yet so important…
Medium- and Low-Priority Notes
As we see almost every patch cycle, the majority of security notes fall into the Medium or Low category. This time 9 and 2 respectively. These issues can typically be resolved by simply applying the supplied patches. We highlight additional key findings below, and for a full breakdown, please scroll to the end of this post.
3748819 – Missing caller identification check-in for ODP Data Replication APIs
This note is listed as a security note but looking at the issue, it is a slightly different story. As explained in note 3255746 SAP has tightened the use of ODP Data Replication APIs as these are ‘intended and designed exclusively for facilitating data transfer between SAP applications”. One of the results of this, is the release of note 3748819 that disables other use of these APIs. Take note if this functionality is used in your landscape!
3682699 – Path Traversal Vulnerability in SAP Fiori (launchpad)
This vulnerability concerns SAP Fiori launchpad and the fix is provided within an updated version of UI5. Patching UI5 is always a bit different so take note of the instructions in note 3155948.
SAP Security Notes June 2026
Highlights
A moderate release of 15 new security notes and 5 in-between updates. We highlight note 3747787 that has been updated (listed below with CVSS 10.0 instead of 0.0).
Summary by Severity
The June release contains a total of 20 patches for the following severities:
| Severity | Number | Hot News | 6 |
|---|---|
High | 3 |
Medium | 9 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3747787 | Malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool Priority: HotNews Released on: 4/29/26 Components: BC-XS-CDX-NJS Category: Program error | Hot News | 10.0 |
| 3746332 | [CVE-2026-44748] XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform Priority: HotNews Released on: 6/9/26 Components: BC-SEC-LGN-SML Category: Program error | Hot News | 9.9 |
| 3717897 | [CVE-2026-27671] Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform Priority: HotNews Released on: 6/9/26 Components: BC-MID-RFC Category: Program error | Hot News | 9.8 |
| 3733064 | [CVE-2026-34263] Missing authentication check in SAP Commerce Cloud configuration Priority: HotNews Released on: 5/12/26 Components: CEC-SCC-CDM-BO-APP Category: Program error | Hot News | 9.6 |
| 3748262 | [CVE-2026-22732] Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub Priority: HotNews Released on: 6/9/26 Components: CEC-SCC-PLA-PL Category: Program error | Hot News | 9.1 |
| 3727078 | [CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) Priority: HotNews Released on: 6/9/26 Components: BC-JAS-WEB Category: Program error | Hot News | 9.0 |
| 3732471 | [CVE-2026-34259] OS Command Injection Vulnerability in SAP Forecasting & Replenishment Priority: Correction with high priority Released on: 5/12/26 Components: SCM-FRE-FRP Category: Program error | High | 8.2 |
| 3747484 | [CVE-2026-29145] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Priority: Correction with high priority Released on: 6/9/26 Components: CEC-SCC-PLA-PL Category: Program error | High | 7.4 |
| 3735546 | [CVE-2026-44751] Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform Priority: Correction with high priority Released on: 6/9/26 Components: BC-DWB-DIC-AC Category: Program error | High | 7.1 |
| 3748819 | [CVE-2026-44754] Missing caller identification check-in for ODP Data Replication APIs Priority: Correction with medium priority Released on: 6/9/26 Components: BC-BW-ODP Category: Program error | Medium | 6.6 |
| 3751691 | [CVE-2026-44744] SQL Injection vulnerability in SAP S/4HANA Priority: Correction with medium priority Released on: 6/9/26 Components: CA-EPT-SSC Category: Program error | Medium | 6.5 |
| 3723655 | [CVE-2026-44746] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet) Priority: Correction with medium priority Released on: 6/9/26 Components: BW-BEX-UDI Category: Program error | Medium | 6.1 |
| 3715280 | [CVE-2026-44757] Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager Priority: Correction with medium priority Released on: 6/9/26 Components: SV-SMG-DIA-WLY Category: Program error | Medium | 4.7 |
| 3718508 | [CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management Priority: Correction with medium priority Released on: 5/12/26 Components: ICM Category: Program error | Medium | 4.3 |
| 3433366 | [CVE-2026-44749] Information Disclosure vulnerability in SAP Gateway Priority: Correction with medium priority Released on: 5/26/26 Components: OPU-GW-V4 Category: Program error | Medium | 4.3 |
| 3687096 | [CVE-2026-44755] Email Spoofing vulnerability in SAP Business Objects Business Intelligence Platform Priority: Correction with medium priority Released on: 6/9/26 Components: BI-BIP-SEC Category: Program error | Medium | 4.3 |
| 3673181 | [CVE-2026-44750] Missing Authorization check in SAP MDG (Review Match Groups Application) Priority: Correction with medium priority Released on: 6/9/26 Components: CA-MDG-CMP-BP Category: Program error | Medium | 4.3 |
| 3682699 | [CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad) Priority: Correction with medium priority Released on: 6/9/26 Components: CA-FLP-FE-COR Category: Program error | Medium | 4.2 |
| 3706000 | [CVE-2026-44743] Security Misconfiguration vulnerability in SAP Business Objects Priority: Correction with low priority Released on: 6/9/26 Components: BI-BIP-CMC Category: Program error | Low | 3.7 |
| 3726899 | [CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java Priority: Correction with low priority Released on: 6/9/26 Components: BC-JAS-SEC-UME Category: Program error | Low | 3.3 |
