SAP Security Patch Day – May 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As May gets underway, SAP security should remain firmly in focus. Although this month’s patch volume is not particularly high, it is still a clear reminder that delaying security updates can create unnecessary risk. Applying patches on time remains one of the most reliable ways to reduce exposure to known vulnerabilities and limit the attack surface across SAP landscapes!
This month’s SAP Security Patch Day includes 16 Security Notes – including 1 interim update – that require careful review. Each Patch Day can introduce fixes affecting different parts of the SAP environment, and even a smaller release may contain notes with important security implications. Below, we outline the most relevant notes from May and what they could mean for your SAP landscape.
SAP environments are becoming increasingly complex, often combining on-premise systems, cloud services, and hybrid architectures. This makes patch management much more than a standard maintenance task. With many interconnected components and dependencies, patching can become difficult to plan, resource-intensive, and time-consuming. Increasing the risk that important fixes are overlooked. At SecurityBridge, we recognize these challenges.
The SecurityBridge Patch Management for SAP solution helps organizations identify missing patches across their SAP landscape, offering clear visibility, impact analysis, and automated implementation support. By providing a system-wide overview, it helps accelerate patching cycles and strengthen continuous threat monitoring, contributing to a more secure and resilient SAP environment throughout 2026.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform we are also deeply committed to ongoing research within the SAP security domain.
For this month’s release, our latest discoveries include
- Medium priority: note 3718508 – [CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management
HotNews
Let’s start with HotNews, the highest-priority category. This month, we have 3 notes to consider in this category.
3733064 – Missing authentication check in SAP Commerce Cloud configuration
In SAP Commerce Cloud, a configuration upload functionality exists that can be exploited for arbitrary code execution. The issue is caused by a Spring Security configuration and the patches mentioned by the note disable this functionality by default. Important: rebuild and redeployment is required to fix the issue! This will require downtime, see FAQ note 3746113 for additional information.
3724838 – SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)
This vulnerability is caused by user input that is not validated securely. This allows an (authenticated) attacker to inject SQL statements for further exploitation. Many SAP Basis versions are affected and the patch should be applied regardless of whether the search function is used. The patch can be implemented without interruption and no impact on functionality so there is no real reason to not implement this patch swiftly. See FAQ note 3747935.
3747787 – Malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool
This HotNews note is a bit of a ‘strange one’ in terms of classification. It has been released earlier this month as a HotNews note because of the severity of the identified issues. At the same time, the note has been given a CVSS score of 0.0 by SAP… Let this not lower your guard because this note is a HotNews note for a good reason. If you have build applications using NPM packages, make sure to check that these do not include the affected versions. Review the note carefully and take corresponding action! See also the separate blog we wrote on this topic.
Remark: we list the note with CVSS 10.0 instead of 0.0 below to underline its importance.
High-Priority Notes
Next up is the High Priority category of which we have only 1 note to consider this month.
3732471 – OS Command Injection Vulnerability in SAP Forecasting & Replenishment
This OS Command Execution vulnerability exists in the mentioned version of SAP SCM and simply requires patching to mitigate.
Medium- and Low-Priority Notes
As we see almost every patch cycle, the majority of security notes fall into the Medium or Low category. This time 11 and 1 respectively. These issues can typically be resolved by simply applying the supplied patches. We highlight additional key findings below, and for a full breakdown, please scroll to the end of this post.
Business Server Pages (BSP) anyone?
BSP may be considered an ‘outdated’ technology from the past, superseded by the likes of SAPUI5/Fiori. That does not mean you can skip it altogether! This month we have no less than 3 security notes related to BSP which shows how long technology can ‘linger’ in an IT landscape and should not be forgotten.
3727717 – Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
Component Based Test Automation (CBTA) uses a BSP application called TAF_APPLAUNCHER. If you don’t use CBTA, it can be disabled as a workaround, apply the fix for a permanent solution.
3721959 – Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)
A missing authorization check allows a user to exploit the Business Scorecard wizard in SAP SEM. Apply the patch to fix (or disable the functionality altogether as a workaround).
3728690 – Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)
An XSS vulnerability was discovered because of URL parameters that lack proper encoding on BSP pages. This requires patching of the SAP Basis component.
Further remarks
3716450 – [CVE-2025-68161] Potential Improper Certificate Validation in SAP Commerce Cloud (Apache Log4j)
Another vulnerability was discovered in SAP Commerce Cloud and yet again because of a vulnerability in an underlying component: the (infamous) Apache Log4j library. SAP Commerce Cloud in the public cloud is not affected. For other versions, see the note for rebuild and redeploy actions.
3726962 – [CVE-2026-40131] SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library
This note may have the lowest CVSS score but gives an indication on how to check if the system has been actually exploited. Something that is not often specified in security notes!
SAP Security Notes May 2026
Highlights
An average number of security notes for the month of May with 3 HotNews notes. We highlight note 3747787 that despite its CVSS score (listed below as 10.0 instead of 0.0) should be closely followed up!
Summary by Severity
The May release contains a total of 16 patches for the following severities:
| Severity | Number | Hot News | 3 |
|---|---|
High | 1 |
Medium | 11 |
Low | 1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3747787 | Malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool Priority: HotNews Released on: 4/29/26 Components: BC-XS-CDX-NJS Category: Program error | Hot News | 10.0 |
| 3733064 | [CVE-2026-34263] Missing authentication check in SAP Commerce Cloud configuration Priority: HotNews Released on: 5/12/26 Components: CEC-SCC-CDM-BO-APP Category: Program error | Hot News | 9.6 |
| 3724838 | [CVE-2026-34260] SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) Priority: HotNews Released on: 5/12/26 Components: BC-EIM-ESH Category: Program error | Hot News | 9.6 |
| 3732471 | [CVE-2026-34259] OS Command Injection Vulnerability in SAP Forecasting & Replenishment Priority: Correction with high priority Released on: 5/12/26 Components: SCM-FRE-FRP Category: Program error | High | 8.2 |
| 3730019 | [CVE-2026-40135] OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 5/12/26 Components: BC-ABA-SC Category: Program error | Medium | 6.5 |
| 3718083 | [CVE-2026-40133] Missing Authorization check in SAP S/4HANA Condition Maintenance Priority: Correction with medium priority Released on: 5/12/26 Components: SD-MD-CM Category: Program error | Medium | 6.3 |
| 3727717 | [CVE-2026-40137] Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) Priority: Correction with medium priority Released on: 5/12/26 Components: SV-SMG-TWB-CBT Category: Program error | Medium | 6.1 |
| 3667593 | [CVE-2026-0502] Cross Site Request Forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 5/12/26 Components: BI-BIP-INV Category: Program error | Medium | 5.4 |
| 3721959 | [CVE-2026-40132] Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) Priority: Correction with medium priority Released on: 5/12/26 Components: FIN-SEM-CPM-BSC Category: Program error | Medium | 5.4 |
| 3716450 | [CVE-2025-68161] Potential Improper Certificate Validation in SAP Commerce Cloud (Apache Log4j) Priority: Correction with medium priority Released on: 5/12/26 Components: CEC-SCC-PLA-PL Category: Program error | Medium | 4.8 |
| 3726583 | [CVE-2026-34258] Content Spoofing vulnerability in SAPUI5 (Search UI) Priority: Correction with medium priority Released on: 5/12/26 Components: HAN-AS-INA-UI Category: Program error | Medium | 4.7 |
| 3728690 | [CVE-2026-27682] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) Priority: Correction with medium priority Released on: 5/12/26 Components: BC-BSP Category: Program error | Medium | 4.7 |
| 3713521 | [CVE-2026-40136] Denial of service (DoS) in SAP Financial Consolidation Priority: Correction with medium priority Released on: 5/12/26 Components: EPM-BFC-PSI Category: Program error | Medium | 4.3 |
| 3735359 | [CVE-2026-40129] Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform Priority: Correction with medium priority Released on: 5/12/26 Components: BC-MID-ICF Category: Program error | Medium | 4.3 |
| 3718508 | [CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management Priority: Correction with medium priority Released on: 5/12/26 Components: ICM Category: Program error | Medium | 4.3 |
| 3726962 | [CVE-2026-40131] SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library Priority: Correction with low priority Released on: 5/12/26 Components: HAN-DB-DI Category: Program error | Low | 3.4 |
