Through services such as SAP Security Assessment, Inprosec helps its clients improve the security levels of their SAP systems.
June 2026 Notes
Monthly Summary and Highlights
This month the total number has been 15 notes (all new, with no updates), the same amount as in May. This month 4 Hot News have been published, two more than in the previous period. As for high-criticality notes, there are 2, one more than in May. Medium and low notes will not be reviewed, so we will provide detail on a total of 6 notes (all those with a CVSS score of 7 or higher).
We have a total of 15 notes for the entire month (all 15 are new and there are no updates to notes from previous months).
We will review in detail a total of 6 notes, all of high criticality and Hot News:
-
The highest-criticality note of the month (CVSS 9.9) is a Hot News and is related to “XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform”.
-
The second note in criticality (CVSS 9.8) is another Hot News and is related to “Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform”.
-
The third note in criticality (CVSS 9.1) is another Hot News and is related to “Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub”.
-
The fourth note in criticality (CVSS 9.0) is the last Hot News of the month and is related to “Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)”.
-
The fifth note we will review (CVSS 7.4) is of high criticality and covers “Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud”.
-
The last note we will review (CVSS 7.1) is of high criticality and covers “Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform”.
This month the most predominant type has been “Missing Authorization check” (3/15 in the patch day).
In the chart below we can see the classification of the June notes, as well as the trend and classification for the previous 5 months (only notes from the Sec. Tuesday / Patch Day – by SAP):
Full Detail
The full detail of the most relevant notes is as follows (in English):
-
XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform (3746332): SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorised access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application. A temporary workaround is available. CVSS v3 Base Score 9.9/10 [CVE-2026-44748]
-
Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform (3717897): Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application. CVSS v3 Base Score 9.8/10 [CVE-2026-27671]
-
Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub (3748262): SAP Commerce Cloud and SAP Data Hub use a version of Spring Security that could be vulnerable to CVE-2026-22732. Under certain conditions Spring Security might not write HTTP response headers, including important security headers, which might lead to high impact on confidentiality and integrity, no impact on availability. CVSS v3 Base Score 9.1/10 [CVE-2026-22732]
-
Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) (3727078): SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable. CVSS v3 Base Score 9.0/10 [CVE-2026-40128]
-
Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (3747484): This Security note addresses multiple known vulnerabilities in Apache Tomcat within SAP Commerce Cloud. SAP Commerce Cloud uses a version of Apache Tomcat that is affected by multiple known vulnerabilities impacting certificate-based authentication and validation mechanisms. These flaws may allow unauthorised access, enable attackers to bypass client certificate enforcement, or use revoked certificates for authentication. These conditions arise only under specific non-default configurations and have a high impact on confidentiality and integrity of the application, while availability is not impacted. A temporary workaround is available. CVSS v3 Base Score 7.4/10 [CVE-2026-29145, CVE-2025-66614, CVE-2026-24734]
-
Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform (3735546): Application server ABAP does not perform necessary authorisation checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application. CVSS v3 Base Score 7.1/10 [CVE-2026-44751]
Reference Links
References, in English, from SAP and Onapsis:
Affected Resources
The complete list of affected systems/components is as follows:
-
SAP NetWeaver AS ABAP and ABAP Platform (SAML Authentication): SAP_BASIS 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 804, 816, 918, 919
-
SAP NetWeaver AS ABAP and ABAP Platform (Memory Corruption): KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 722EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 91.9
-
SAP Commerce Cloud and SAP Data Hub: HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, 2211-JDK21, DHUB_CLOUD 2211
-
SAP NetWeaver Application Server Java (Web Container): ENGINEAPI 7.50
-
SAP Commerce Cloud (Apache Tomcat): HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
-
SAP NetWeaver AS ABAP and ABAP Platform (Missing Authorization): SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816