CVE-2026-44748 — SAP June Patch Day: SAML XML Signature Wrapping in NetWeaver AS ABAP (CVSS 9.9) plus an unauth RFC kernel memory-corruption (CVSS 9.8)
From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →
SAP's June Patch Day (9 June) shipped multiple HotNews notes; the most severe affect NetWeaver AS ABAP and ABAP Platform — the ERP backbone across Swiss federal/cantonal administration and EU public-sector bodies (Onapsis, 2026-06-09). CVE-2026-44748 (CVSS 9.9) is an XML Signature Wrapping flaw in the SAML authentication handler: an attacker takes a legitimately-signed SAML assertion and replaces the processed element with attacker-controlled identity data while leaving the signature valid, enabling privilege escalation/account takeover. It spans SAP_BASIS 702–919, an unusually broad patch footprint (NCSC-CH, 2026-06-09). CVE-2026-27671 (CVSS 9.8) is memory corruption via improper RFC protocol validation reachable unauthenticated over the network; CVE-2026-40128 (CVSS 9.0) is a path traversal in the NetWeaver AS Java Web Container; CVE-2026-22732 (CVSS 9.1) is a missing-security-headers bug in Spring Security affecting Commerce Cloud/Data Hub (SAP, 2026-06-09). Exploitation is listed UNKNOWN for all four. Apply the June SAP Security Notes (SAP Note 3746332 is the SAML XSW fix for CVE-2026-44748) and enable RFC gateway ACLs (gw/acl_mode=1) and SNC to reduce the RFC-kernel exposure. CCB Belgium issued a parallel public-sector "patch now" advisory (CCB, 2026-06-09).