Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
April 2026 Notes
Monthly Summary and Highlights
This month the total number has been 20 notes (19 new and 1 update), 5 more than in March. This month 1 Hot News has been published, one less than in the previous period. Regarding high criticality notes, there is 1, the same amount as in March. Medium and low notes will not be reviewed, so we will provide details on a total of 2 notes (all those with a CVSS of 7 or higher).
We have a total of 20 notes for the whole month (19 are new and 1 is an update of a note from previous months).
We will review in detail a total of 2 notes, all of high criticality and Hot News:
-
The highest criticality note of the month (CVSS 9.9) is a Hot News and is related to “SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse”.
-
The second and last note we will review (CVSS 7.1) is of high criticality and covers “Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)”.
This month the most predominant type has been “Missing Authorization check” (9/20 in the patch day).
In the chart we can see the classification of April’s notes, as well as the evolution and classification of the last 5 previous months (only the notes from Sec. Tuesday / Patch Day – by SAP):
Full details
The complete detail of the most relevant notes is as follows:
-
SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse (3719353): Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system. A temporary workaround is available. CVSS v3 Base Score 9,9/10 [CVE-2026-27681]
-
Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) (3731908): Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight‑character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected. A temporary workaround is available. CVSS v3 Base Score 7,1/10 [CVE-2026-34256]
Reference links
Other references, from SAP and Onapsis (April):
Resources affected
The full list of affected systems/components is as follows:
-
SAP Business Planning and Consolidation and SAP Business Warehouse: HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816
-
SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise): SAP_FIN 618, 720, 730, EA-FIN 617, 700, SAPSCORE 135, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606