15 SAP patches, two of which won’t wait - May’s 2026 Patch Day
On 12 May 2026, SAP published 15 security notes. Two of them carry a CVSS score of 9.6 - the highest threshold in the Critical category. One concerns S/4HANA, the other Commerce Cloud. Both vulnerability classes - SQL Injection and missing authentication - belong to the category that attackers actively hunt for after every Patch Day, by analysing public changelogs.
This is a regular, monthly SAP Patch Day. What is irregular is that a single month produced two Critical notes at once.
What happened - the facts
On the second Wednesday of May - in line with the schedule - SAP published a package of 15 patches. Breakdown by priority:
- 2 Critical (CVSS 9.6)
- 1 High (CVSS 8.2)
- 11 Medium (CVSS 3.4-6.5)
- 1 Low (CVSS 3.4)
The two Critical notes are not the result of a single flaw in a single location. They are two independent issues in two different SAP products that entered the public database on the same day.
Note 3724838 - SQL Injection in SAP S/4HANA (Enterprise Search for ABAP), CVSS 9.6
Enterprise Search for ABAP is the indexing and search component built into S/4HANA. An SQL Injection vulnerability allows an attacker - with certain privileges or via an unauthenticated endpoint - to manipulate database queries. The consequences: reading data they should not see; potentially writing or deleting it. A CVSS score of 9.6 means the attack has been assessed as remotely exploitable, with a low barrier to entry.
Note 3733064 - Missing Authentication Check in SAP Commerce Cloud, CVSS 9.6
A missing authentication check is an architectural flaw, not an implementation one. An endpoint or function is accessible without the required identity verification. In the case of Commerce Cloud - SAP’s e-commerce platform - the consequences are directly commercial: potential access to order data, customer accounts, and pricing configuration.
Note 3732471 - OS Command Injection in SAP Forecasting & Replenishment, CVSS 8.2
OS Command Injection is a High-category vulnerability. It involves the ability to inject system commands via the application interface. SAP Forecasting & Replenishment is an inventory planning module - an environment where direct access via e-commerce is less likely, but the risk of privilege escalation within the SAP landscape remains real.
Why this matters for organisations - not just technically
Organisations running SAP are, for the most part, large enterprises: manufacturing, distribution, retail, utilities, the public sector. For many of them, SAP is the system of record - the single source of truth for finances, inventory, and business partners.
NIS2 has applied since October 2024. For essential and important entities, this means, among other things, an obligation to manage supplier risk and to update systems within a reasonable timeframe. Failing to respond to a Critical note with a CVSS score of 9.6 - while an incident is under way - is ready-made material for a supervisory authority asking: “when did you know, and what did you do?”
DORA for the financial sector goes a step further. Financial institutions are required to test and document their operational resilience. An unpatched critical vulnerability in a transactional system is not a technical oversight - it is an operational risk that belongs in the DORA register.
The exploitation window after Patch Day. When SAP publishes a security note, it simultaneously reveals - indirectly - where to look for the flaw. Security researchers and attackers analyse changelogs and patches within 24-72 hours of publication. Organisations that have not deployed the fix become easier targets than before Patch Day - because the vulnerability’s location is now public.
At SNOK, we see this regularly with our clients: the hardest part is not deciding to patch, but fitting regression testing and a maintenance window into the production schedule. That is precisely where weeks are lost.
Full list of security notes - May 2026
| Note | Product | Vulnerability type | CVSS | Priority |
|---|---|---|---|---|
| 3724838 | SAP S/4HANA (Enterprise Search for ABAP) | SQL Injection | 9.6 | Critical |
| 3733064 | SAP Commerce Cloud | Missing Authentication Check | 9.6 | Critical |
| 3732471 | SAP Forecasting & Replenishment | OS Command Injection | 8.2 | High |
| 3730019 | SAP NetWeaver AS ABAP | OS Command Injection | 6.5 | Medium |
| 3718083 | SAP S/4HANA Condition Maintenance | Missing Authorization Check | 6.3 | Medium |
| 3727717 | Business Server Pages (TAF_APPLAUNCHER) | XSS | 6.1 | Medium |
| 3667593 | SAP BusinessObjects BI Platform | CSRF | 5.4 | Medium |
| 3721959 | SAP Strategic Enterprise Management | Missing Authorization Check | 5.4 | Medium |
| 3716450 | SAP Commerce Cloud (Log4j) | Improper Certificate Validation | 4.8 | Medium |
| 3726583 | SAPUI5 (Search UI) | Content Spoofing | 4.7 | Medium |
| 3728690 | SAP NetWeaver ABAP (BSP Applications) | Reflected XSS | 4.7 | Medium |
| 3713521 | SAP Financial Consolidation | Denial of Service | 4.3 | Medium |
| 3718508 | SAP Incentive & Commission Management | Missing Authorization Check | 4.3 | Medium |
| 3735359 | SAP Application Server ABAP | Code Injection | 4.3 | Medium |
| 3726962 | SAP HANA Deployment Infrastructure (HDI) | SQL Injection | 3.4 | Low |
Source: SAP Security Notes & News, May 2026 (support.sap.com)
How to act - four steps, no corporate procedures
Step 1: Identify exposure within 24 hours
Not every organisation runs S/4HANA and Commerce Cloud at the same time. Start with the question: which of the products on the list above are actually running in your landscape? A list of SAP systems, versions, and active components - this should be ready after a single conversation with your Basis team.
If you run S/4HANA with Enterprise Search active: note 3724838 is your number-one priority. If you run Commerce Cloud in a production environment: note 3733064 requires an immediate response.
Step 2: Download and assess the technical note
Every SAP note includes Technical Details - a precise description of the fix, affected versions and components, and prerequisite notes. For a CVSS score of 9.6, also check whether SAP has published a workaround - if so, you can deploy it as a temporary safeguard ahead of the full patch.
Step 3: Plan the maintenance window
Regression testing before deploying a note to production is not optional - it is a necessity. For critical notes, a realistic schedule looks like: transport to DEV → automated/manual testing → transport to QAS → window on PRD. In environments where weekly maintenance windows are already scheduled, bring a Critical note in outside the standard cycle.
Step 4: Document the decision
For environments subject to NIS2 or DORA: record the date, the decision-maker, the risk assessment outcome, and the planned deployment date. This is not bureaucracy - it is evidence of action in the event of an inspection.
What SNOK recommends
We have worked with SAP Basis for years - as practitioners, not spreadsheet consultants. May 2026 is a month with two Critical notes at once. That is not the norm, but it is not a precedent either.
Our recommendations for production systems:
If you run S/4HANA or Commerce Cloud: notes 3724838 and 3733064 require action this week, not in the next quarterly cycle. A CVSS score of 9.6 is a threshold at which a 30-day window is too long.
If you use SAP NetWeaver AS ABAP: note 3730019 (OS Command Injection, CVSS 6.5) affects systems far more common than S/4HANA. It is not Critical, but it sits in the landscape of nearly every SAP client.
If you run Commerce Cloud with the Log4j module: note 3716450 (Improper Certificate Validation) is Medium - but anything with Log4j in the name is always worth checking more closely, given what the Log4Shell episode taught us about vigilance.
If you need support assessing exposure or organising a maintenance window outside the standard schedule - the SNOK Basis team is available. No sales pitch, no three-week proposal. We have 30+ SAP experts in Warsaw and 26+ reference implementations behind us.
Would you like to see this in practice or discuss deployment within your organisation? Get in touch - we will respond within 48 hours.
Safe Tuesday with SNOK is published regularly after every SAP Patch Day. Next edition: June 2026.
Jacek Bugajski - CEO, SNOK Sp. z o.o.