2026-07-14 · view entry permalink →
SAP July 2026 Security Patch Day: three CVSS ≥9.1 flaws in NetWeaver AS ABAP, Approuter and Commerce Cloud — two reachable without authentication
SAP's July 2026 Security Patch Day (14 July) carries three critical flaws NCSC Switzerland's Cyber Security Hub relayed directly to Swiss constituents, none with reported exploitation at publication (NCSC-CH, 2026-07-14; Onapsis Research Labs, 2026-07-14). CVE-2026-44747 (CVSS 9.9) is a memory-corruption flaw in the SAP NetWeaver Application Server ABAP kernel; SecurityWeek characterises successful exploitation as allowing an attacker to access and modify data and cause system unavailability, and SAP's only interim workaround (disabling the affected ICF nodes) is impractical because it breaks SAP GUI for HTML, so patching the kernel is the real mitigation (SecurityWeek, 2026-07-14). CVE-2026-27690 (CVSS 9.1) is an HTTP request-smuggling flaw in SAP Approuter's non-Cloud-Foundry deployments: an unauthenticated request desynchronises the request/response stream on a shared front-end, a primitive usable to poison or hijack another user's request. CVE-2026-44761 (CVSS 9.1) is a hardcoded sample OAuth2 credential in SAP Commerce Cloud — any customer that ran SAP's own documented sample configuration and never rotated the shipped secret exposes a publicly-known credential an unauthenticated attacker can use to obtain a valid OCC-API access token (Onapsis Research Labs, 2026-07-14).
The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization.
Exploitation requires that the customer execute the sample script and retain the resulting OAuth2 client in production without replacing the hardcoded secret.
Successful exploitation of the security defect could allow an attacker to access and modify data, and cause system unavailability, SAP security firm Onapsis explains.