SecurityBridge Research Labs Update – Q1 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
Our Mission: Making the World Run More Secure
The SecurityBridge Research Lab is at the forefront of SAP cybersecurity, driving innovation through advanced vulnerability research, collaborative disclosure, and cutting-edge product integration. By combining technical expertise with strong partnerships, the Lab continuously strengthens the resilience of SAP landscapes worldwide. Our mission is clear: identify critical vulnerabilities, enable responsible remediation, and deliver researchdriven solutions that empower organizations to protect their most vital business systems. All to make the world run more secure.
Key Achievements in Q1 2026
- High-Impact Vulnerability Research:
- A total of 7 SAP 0-day vulnerabilities were responsibly disclosed and remediated by SAP
- A vulnerability in SAP BTP Cloud Foundry was reported and silently patched
- Critical CVSS Scores:
- CVSS scores ranging up to 9.1 (HotNews) for an ABAP code injection vulnerability in SAP S/4 HANA
Highlights of Reported Vulnerabilities
In Q1 of 2026, SAP patched a total of 7 vulnerabilities discovered by the SecurityBridge Research Lab:
| Note | CVE | Description | Severity | CVSS | Month Fixed | Platform |
|---|---|---|---|---|---|---|
|
3697979,
3694242 |
CVE-2026 0491
/0498 |
Remote enabled FM
CNVCF_JSTAT_UP
allows code injection |
HotNews |
9.1 |
Jan 2026 |
S/4HANA |
|
3680416 |
CVE-2026 23681 |
Remote enabled FM /
SDF/SM_PATCHES
provides info about
system without proper
auth check |
Medium |
4.3 |
Feb 2026 |
NetWeaver |
|
3691645 |
CVE-2026 0486 |
Remote enabled FM /
SDF/EWA_SAPOSCOL_B
provides information like
internal IP addresses
and other HW and OS
specifics without
sufficient auth checks,
only on: S_DATASET
PROGRAM SAPLSMON
ACTVT 33 FILENAME /
usr/sap/tmp/
hw_srv01sm1.xml |
Medium |
5.0 |
Feb 2026 |
NetWeaver |
|
3678009 |
CVE-2026-24326 |
Remote enabled FM /
ISDFPS/
BAPI_ALE_TEST_SEND
and /ISDFPS/
BAPI_ALETEST8_SEND
do direct update on
standard SAP table
without auth check |
Medium |
4.3 |
Feb 2026 |
S/4HANA |
|
3705882 |
CVE-2026-24322 |
Remote enabled FM /
SDF/
SCSI_GET_HARDWARE_I
NFO does info
disclosure without
proper auth check. Info
like internal IP
addresses and versions
are provided |
High |
7.7 |
Feb 2026 |
NetWeaver |
|
Fixed
in cloud |
n.a. Fixed in BTP |
Incorrect status for SSH
enabled Cloud Foundry
app |
n.a |
Undisclosed |
Feb 2026 |
|
|
3707930 |
CVE-2026-24313 |
ABAP code injection in
SAP Solution Manager |
Medium |
5.0 |
Mar 2026 |
NetWeaver |
Critical Alert: CVE-2026-0491/0498
Special Note:
- CVE-2026-0491/0498 are about a critical Remote Code Execution vulnerability, capable of full SAP system compromise. Exploitation could enable malware deployment, data theft, fraud, or operational disruption. SAP released a HotNews patch in January 2026, and our team delivered Virtual Patching capabilities in SecurityBridge products to protect customers during the remediation window. Make sure to apply patches 3694242 and 3697979 swiftly when applicable for your SAP landscape (use the SecurityBridge Patch Management module for that). Quarterly Report: SecurityBridge Research Labs Update Q1 2026
A breakdown of the severity and the CVSS score is provided below:
As we respect a grace period of 3 months to allow customers to implement the patches, full details about the vulnerabilities found cannot be shared yet. However, for some of the above released patches, SecurityBridge has shipped product updates to detect execution of vulnerable ABAP programs via our Virtual Patching functionality.
How We Discover Vulnerabilities
The SecurityBridge Research Lab applies a multi-faceted methodology, combining:
- Proprietary Tools – To index, scan, and analyze large-scale SAP codebases.
- Reverse Engineering – Uncovering hidden flaws in SAP components.
- Design & Architecture Reviews – Exposing systemic weaknesses.
- Practical Exploitation Testing – Validating real-world impact and eliminating false positives.
This rigorous approach ensures accuracy, ethical compliance, and maximum-security value for SAP customers.
Risk Assessment & Customer Protection
- Authentication Requirements: All reported vulnerabilities require at least low-level authentication, with the majority enabling privilege escalation.
- Critical Risk: HotNews ABAP Injection: The HotNews-class ABAP injection represents the highest risk, with the potential for complete compromise of SAP systems and data.
- Integrated Protection: To protect customers, SecurityBridge Patch Management integrates research-driven updates, enabling rapid identification and mitigation of emerging threats.
Recommendation: Organizations must apply the relevant SAP Security Notes promptly and leverage SecurityBridges integrated monitoring and patching capabilities.
Recognition & Acknowledgements
The contributions of our researchers continue to be recognized by SAP. In Q4 the SecurityBridge Research Lab received acknowledgements for their discoveries, exemplifying the talent and dedication within our Lab. Noting a consistent acknowledgement for every single month of the year 2025 and 2026 so far.
How to protect yourself
To stay protected against beforementioned vulnerabilities and others, it is imperative to apply the patches as soon as possible and consider proper testing. The SecurityBridge Research Labs is tightly integrated with product development leading to continuous updates, e.g. in the area of the SecurityBridge Patch Management module. Make sure to identify relevant SAP Security notes for your SAP systems and apply them as soon as possible.