
SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter.
The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software.
“SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability,” SAP says. “This has high impact on confidentiality, integrity, and availability of the application.”
The second one (CVE-2026-27690) is an HTTP Request Smuggling vulnerability in SAP Approuter, a Node.js-based middleware library for cloud-based apps deployed on the company’s Business Technology Platform (SAP BTP).
Unauthenticated attackers can exploit this flaw via specially crafted HTTP requests to access user responses and trigger denial-of-service attacks on the targeted system.
The third critical flaw addressed today (tracked as CVE-2026-44761) was found in the SAP Commerce Cloud enterprise e-commerce platform and stems from default credentials that enable attackers to get valid access tokens and read or modify data via certain APIs.
SAP’s July 2026 advisory also lists fixes for six high-severity flaws, seven medium-severity ones, and one low-severity vulnerability, including DLL hijacking, open redirect, missing authorization checks, remote code execution, cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations.
While the company has yet to find evidence that the vulnerabilities patched today have been exploited in attacks, CISA has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog since November 2021, including two that were abused by ransomware gangs.
Most recently, SAP fixed 15 vulnerabilities as part of its June 2026 Security Patch package, and attackers compromised multiple official SAP npm packages in a supply chain attack aimed at stealing credentials from developers’ systems.
The German multinational software corporation has reported total revenues exceeding €36 billion in fiscal year 2025 and servers 99 of the 100 largest companies worldwide.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
