CVE-2026-34263 / CVE-2026-34260 — SAP Commerce Cloud pre-auth RCE, S/4HANA Enterprise Search SQL injection

SAP's May 2026 Security Patch Day (2026-05-12) released 17 patches, three HotNews (Onapsis, 2026-05-12; SecurityWeek, 2026-05-12; NCSC-CH Security Hub #12565, 2026-05-12). CVE-2026-34263 (CVSS 9.6, CWE-459 Incomplete Cleanup) is a missing authentication on SAP Commerce Cloud's cloud-config endpoint caused by overly permissive Spring Security ordering — an unauthenticated attacker can upload arbitrary configuration and reach server-side code execution. Affects HY_COM 2205 and COM_CLOUD 2211 / 2211-JDK21. CVE-2026-34260 (CVSS 9.6) is SQL injection in the SAP S/4HANA Enterprise Search for ABAP component, missing input validation; affected SAP_BASIS 751–758 and 816. Authentication required but the blast radius is full database read / write. CVE-2026-34259 (CVSS 8.2) is OS-command injection in SAP Forecasting & Replenishment (authenticated). A third HotNews note (SAP #3747787) acknowledges the impact of the Mini Shai-Hulud npm worm (see § 4 / § 5) on SAP Cloud Application Programming (CAP) packages. No ITW exploitation reported. SAP S/4HANA is the backbone ERP for Swiss federal administration (NOVE / SUPERB programmes) and many EU institutions; SAP Commerce Cloud commonly powers e-government procurement portals — both of which sit close to the public-internet boundary. Detection concepts mapped to T1190 (Commerce Cloud) and T1190 + T1213 (S/4HANA): instrument the SAP HTTP front-end logs for Spring Security rule-bypass patterns on cloud-config endpoints; audit ABAP Enterprise Search call logs for anomalous SQL-syntax payloads in user-input fields. Hardening: apply SAP Notes via the May 2026 patch day; disable Enterprise Search ABAP if not in operational use; restrict Commerce Cloud cloud-config endpoint to administrative networks.