Skip to content

Safe Tuesday with SNOK: May's flood of vulnerabilities in SAP

SAP has published 15 security patches - two of them rated CVSS 9.6. If your organisation runs S/4HANA or Commerce Cloud, you now have a short window to decide, before someone else decides for you.

15 SAP patches, two of which won’t wait - May’s 2026 Patch Day

On 12 May 2026, SAP published 15 security notes. Two of them carry a CVSS score of 9.6 - the highest threshold in the Critical category. One concerns S/4HANA, the other Commerce Cloud. Both vulnerability classes - SQL Injection and missing authentication - belong to the category that attackers actively hunt for after every Patch Day, by analysing public changelogs.

This is a regular, monthly SAP Patch Day. What is irregular is that a single month produced two Critical notes at once.


What happened - the facts

On the second Wednesday of May - in line with the schedule - SAP published a package of 15 patches. Breakdown by priority:

  • 2 Critical (CVSS 9.6)
  • 1 High (CVSS 8.2)
  • 11 Medium (CVSS 3.4-6.5)
  • 1 Low (CVSS 3.4)

The two Critical notes are not the result of a single flaw in a single location. They are two independent issues in two different SAP products that entered the public database on the same day.

Note 3724838 - SQL Injection in SAP S/4HANA (Enterprise Search for ABAP), CVSS 9.6

Enterprise Search for ABAP is the indexing and search component built into S/4HANA. An SQL Injection vulnerability allows an attacker - with certain privileges or via an unauthenticated endpoint - to manipulate database queries. The consequences: reading data they should not see; potentially writing or deleting it. A CVSS score of 9.6 means the attack has been assessed as remotely exploitable, with a low barrier to entry.

Note 3733064 - Missing Authentication Check in SAP Commerce Cloud, CVSS 9.6

A missing authentication check is an architectural flaw, not an implementation one. An endpoint or function is accessible without the required identity verification. In the case of Commerce Cloud - SAP’s e-commerce platform - the consequences are directly commercial: potential access to order data, customer accounts, and pricing configuration.

Note 3732471 - OS Command Injection in SAP Forecasting & Replenishment, CVSS 8.2

OS Command Injection is a High-category vulnerability. It involves the ability to inject system commands via the application interface. SAP Forecasting & Replenishment is an inventory planning module - an environment where direct access via e-commerce is less likely, but the risk of privilege escalation within the SAP landscape remains real.


Why this matters for organisations - not just technically

Organisations running SAP are, for the most part, large enterprises: manufacturing, distribution, retail, utilities, the public sector. For many of them, SAP is the system of record - the single source of truth for finances, inventory, and business partners.

NIS2 has applied since October 2024. For essential and important entities, this means, among other things, an obligation to manage supplier risk and to update systems within a reasonable timeframe. Failing to respond to a Critical note with a CVSS score of 9.6 - while an incident is under way - is ready-made material for a supervisory authority asking: “when did you know, and what did you do?”

DORA for the financial sector goes a step further. Financial institutions are required to test and document their operational resilience. An unpatched critical vulnerability in a transactional system is not a technical oversight - it is an operational risk that belongs in the DORA register.

The exploitation window after Patch Day. When SAP publishes a security note, it simultaneously reveals - indirectly - where to look for the flaw. Security researchers and attackers analyse changelogs and patches within 24-72 hours of publication. Organisations that have not deployed the fix become easier targets than before Patch Day - because the vulnerability’s location is now public.

At SNOK, we see this regularly with our clients: the hardest part is not deciding to patch, but fitting regression testing and a maintenance window into the production schedule. That is precisely where weeks are lost.


Full list of security notes - May 2026

NoteProductVulnerability typeCVSSPriority
3724838SAP S/4HANA (Enterprise Search for ABAP)SQL Injection9.6Critical
3733064SAP Commerce CloudMissing Authentication Check9.6Critical
3732471SAP Forecasting & ReplenishmentOS Command Injection8.2High
3730019SAP NetWeaver AS ABAPOS Command Injection6.5Medium
3718083SAP S/4HANA Condition MaintenanceMissing Authorization Check6.3Medium
3727717Business Server Pages (TAF_APPLAUNCHER)XSS6.1Medium
3667593SAP BusinessObjects BI PlatformCSRF5.4Medium
3721959SAP Strategic Enterprise ManagementMissing Authorization Check5.4Medium
3716450SAP Commerce Cloud (Log4j)Improper Certificate Validation4.8Medium
3726583SAPUI5 (Search UI)Content Spoofing4.7Medium
3728690SAP NetWeaver ABAP (BSP Applications)Reflected XSS4.7Medium
3713521SAP Financial ConsolidationDenial of Service4.3Medium
3718508SAP Incentive & Commission ManagementMissing Authorization Check4.3Medium
3735359SAP Application Server ABAPCode Injection4.3Medium
3726962SAP HANA Deployment Infrastructure (HDI)SQL Injection3.4Low

Source: SAP Security Notes & News, May 2026 (support.sap.com)


How to act - four steps, no corporate procedures

Step 1: Identify exposure within 24 hours

Not every organisation runs S/4HANA and Commerce Cloud at the same time. Start with the question: which of the products on the list above are actually running in your landscape? A list of SAP systems, versions, and active components - this should be ready after a single conversation with your Basis team.

If you run S/4HANA with Enterprise Search active: note 3724838 is your number-one priority. If you run Commerce Cloud in a production environment: note 3733064 requires an immediate response.

Step 2: Download and assess the technical note

Every SAP note includes Technical Details - a precise description of the fix, affected versions and components, and prerequisite notes. For a CVSS score of 9.6, also check whether SAP has published a workaround - if so, you can deploy it as a temporary safeguard ahead of the full patch.

Step 3: Plan the maintenance window

Regression testing before deploying a note to production is not optional - it is a necessity. For critical notes, a realistic schedule looks like: transport to DEV → automated/manual testing → transport to QAS → window on PRD. In environments where weekly maintenance windows are already scheduled, bring a Critical note in outside the standard cycle.

Step 4: Document the decision

For environments subject to NIS2 or DORA: record the date, the decision-maker, the risk assessment outcome, and the planned deployment date. This is not bureaucracy - it is evidence of action in the event of an inspection.


What SNOK recommends

We have worked with SAP Basis for years - as practitioners, not spreadsheet consultants. May 2026 is a month with two Critical notes at once. That is not the norm, but it is not a precedent either.

Our recommendations for production systems:

If you run S/4HANA or Commerce Cloud: notes 3724838 and 3733064 require action this week, not in the next quarterly cycle. A CVSS score of 9.6 is a threshold at which a 30-day window is too long.

If you use SAP NetWeaver AS ABAP: note 3730019 (OS Command Injection, CVSS 6.5) affects systems far more common than S/4HANA. It is not Critical, but it sits in the landscape of nearly every SAP client.

If you run Commerce Cloud with the Log4j module: note 3716450 (Improper Certificate Validation) is Medium - but anything with Log4j in the name is always worth checking more closely, given what the Log4Shell episode taught us about vigilance.

If you need support assessing exposure or organising a maintenance window outside the standard schedule - the SNOK Basis team is available. No sales pitch, no three-week proposal. We have 30+ SAP experts in Warsaw and 26+ reference implementations behind us.


Would you like to see this in practice or discuss deployment within your organisation? Get in touch - we will respond within 48 hours.


Safe Tuesday with SNOK is published regularly after every SAP Patch Day. Next edition: June 2026.

Jacek Bugajski - CEO, SNOK Sp. z o.o.

Tematy: Safe Tuesday SAP security SAP S/4HANA SAP HANA

Get in touch