SAP July 2026 Security Patch Day: three CVSS ≥9.1 flaws in NetWeaver AS ABAP, Approuter and Commerce Cloud — two reachable without authentication
SAP's July 2026 Security Patch Day (14 July) carries three critical flaws NCSC Switzerland's Cyber Security Hub relayed directly to Swiss constituents, none with reported exploitation at publication (NCSC-CH, 2026-07-14; Onapsis Research Labs, 2026-07-14). CVE-2026-44747 (CVSS 9.9) is a memory-corruption flaw in the SAP NetWeaver Application Server ABAP kernel; SecurityWeek characterises successful exploitation as allowing an attacker to access and modify data and cause system unavailability, and SAP's only interim workaround (disabling the affected ICF nodes) is impractical because it breaks SAP GUI for HTML, so patching the kernel is the real mitigation (SecurityWeek, 2026-07-14). CVE-2026-27690 (CVSS 9.1) is an HTTP request-smuggling flaw in SAP Approuter's non-Cloud-Foundry deployments: an unauthenticated request desynchronises the request/response stream on a shared front-end, a primitive usable to poison or hijack another user's request. CVE-2026-44761 (CVSS 9.1) is a hardcoded sample OAuth2 credential in SAP Commerce Cloud — any customer that ran SAP's own documented sample configuration and never rotated the shipped secret exposes a publicly-known credential an unauthenticated attacker can use to obtain a valid OCC-API access token (Onapsis Research Labs, 2026-07-14).
The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization.
Exploitation requires that the customer execute the sample script and retain the resulting OAuth2 client in production without replacing the hardcoded secret.
Successful exploitation of the security defect could allow an attacker to access and modify data, and cause system unavailability, SAP security firm Onapsis explains.
Defender actions
- Audit SAP Commerce Cloud for CVE-2026-44761: check whether the instance ever ran SAP's documented sample OAuth2 configuration and left the shipped client secret in production; if so, rotate that secret and apply SAP Note 3753495 — the credential is publicly known, so patching without rotating leaves a valid attacker token.
- Patch the unauthenticated, network-reachable SAP Approuter request-smuggling flaw (CVE-2026-27690, SAP Note 3720138) on any non-Cloud-Foundry Approuter fronting shared back-ends, and apply the NetWeaver AS ABAP kernel fix (CVE-2026-44747, SAP Note 3747367).
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Credential Access TA0006
T1552.001Unsecured Credentials: Credentials In Files
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.