On 14 July 2026, SAP released its July security patch bundle: 16 new security notes, 1 GitHub advisory and 3 updates to earlier notes - 20 items in total to review. At the top of the list sit four HotNews vulnerabilities, the highest of which - a memory corruption flaw in NetWeaver AS ABAP - carries a CVSS score of 9.9.
KEY THREATS:
1/ Memory Corruption in SAP NetWeaver AS ABAP (CVSS 9.9) - note 3747367,
2/ HTTP Request Smuggling in SAP Approuter (CVSS 9.1) - note 3720138,
3/ Insecure sample credentials in SAP Commerce Cloud (CVSS 9.1) - note 3753495,
4/ Directory Traversal in NetWeaver AS Java Web Container (CVSS 9.0) - note 3727078.
Two of the four HotNews notes and part of the High Priority notes were produced in collaboration with Onapsis Research Labs.
What happened - the facts
On the second Tuesday of July, following its monthly schedule, SAP published its July Security Patch Day. The breakdown by priority:
- 4 HotNews (CVSS 9.0-9.9)
- 6 High Priority (CVSS 7.6-8.8)
- 8 Medium (CVSS 4.1-6.1)
- 2 Low (CVSS 3.3-3.7)

Three items are updates to notes from previous months (among others, the June note on Directory Traversal in NetWeaver AS Java and an update related to Apache Log4j). One item is an advisory published in the GitHub Advisory database for the ui5/webcomponents-base component.
What sets July apart is the scale of HotNews. Four notes in the highest category in a single month, with memory corruption at the top, is a situation that calls for a plan, not a single patch.
Critical vulnerabilities (HotNews)
These require an immediate response - patching within a 24-72 hour window. Below is a detailed description of each vulnerability.
SAP Note 3747367 | CVE-2026-44747 | CVSS 9.9 | HotNews
Memory Corruption Vulnerability in SAP NetWeaver Application Server ABAP
Component: BC-FES-ITS (NetWeaver AS ABAP) | Patch delivered via kernel packages: KRNL64NUC 7.22, 7.22EXT; KRNL64UC 7.22, 7.53, 7.54, 7.77, 7.89, 7.93; KERNEL 9.16-9.20
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability description
A memory corruption error in NetWeaver AS ABAP. An authenticated attacker with low privileges, operating remotely and without user interaction, can cause unauthorized data access, data modification, privilege escalation or system unavailability. The changed scope (S:C) in the CVSS vector means the impact extends beyond the component where the vulnerability originates - hence the 9.9 rating despite the authentication requirement.
Why this is the most important note of the month
The patch is delivered through SAP kernel packages, and the range of affected versions (from 7.22 through 9.20) is very broad. In practice, in most SAP landscapes at least one system runs on one of these kernel versions - regardless of whether it is S/4HANA or classic ECC. That is why the response starts with checking the kernel patch level, not with a single module.
SAP Note 3720138 | CVE-2026-27690 | CVSS 9.1 | HotNews
HTTP Request Smuggling in SAP Approuter
Component / versions: SAP Approuter (node.js version < 20.10.0)
Vulnerability description
Request/response desynchronization (request/response smuggling) allows an unauthenticated attacker from outside the Cloud Foundry environment to manipulate HTTP traffic passing through Approuter. The consequences include smuggling requests inside legitimate sessions, cache poisoning and bypassing access controls at the routing layer. The fix involves updating the node.js dependency.
SAP Note 3753495 | CVE-2026-44761 | CVSS 9.1 | HotNews
Insecure Sample Credentials in SAP Commerce Cloud
Component / versions: HY_COM 2205; COM_CLOUD 2211, 2211-JDK21
Vulnerability description
Default OAuth2 credentials left in sample scripts made their way into production environments. Known, hard-coded credentials are one of the easiest classes of vulnerability to exploit - the attacker does not need to break any protection, it is enough to know data that is publicly available in the documentation or examples. The response is not only to apply the note, but also to rotate and invalidate any credentials that may have been exposed.
SAP Note 3727078 | CVE-2026-40128 | CVSS 9.0 | HotNews (June update)
Directory Traversal in SAP NetWeaver Application Server Java (Web Container)
Component / versions: ENGINEAPI 7.50
Vulnerability description
Directory traversal in the NetWeaver AS Java Web Container allows access to files outside the intended application directory. The note was originally published in June 2026 in collaboration with Onapsis Research Labs and was updated in July. If you responded to it in June, check the scope of the update.
High Priority vulnerabilities
| Note | CVE | CVSS | Product / component | Vulnerability type |
|---|---|---|---|---|
| 3758101 | CVE-2026-40860 (+ -40453, -33454) | 8.8 | SAP Integration Suite - Edge Integration Cell (< 8.43.11) | Multiple Apache Camel flaws |
| 3692165 | CVE-2026-0487 | 8.4 | SAProuter for Windows | DLL Hijacking |
| 3748227 | CVE-2026-44752 | 8.2 | NetWeaver AS Java - Configuration Wizard (LMCTC 7.50) | Cross-Site Scripting (XSS) |
| 3741519 | CVE-2026-44745 | 8.1 | SAP Approuter | Open Redirect in OAuth2 |
| 3763800 | CVE-2026-43512 / -41293 / -43515 | 8.1 | Apache Tomcat in SAP Commerce Cloud | Multiple Apache Tomcat flaws |
| 3773304 | CVE-2026-58233 | 7.6 | Change and Transport System - Attach Tool | Remote Code Execution (RCE) |
Three High Priority notes (Edge Integration Cell, Commerce Cloud/Tomcat) concern vulnerabilities in open source components embedded in SAP products - Apache Camel and Apache Tomcat. It is a reminder that the SAP attack surface does not end at ABAP code; it spans the entire stack, including third-party libraries.
Note 3773304 deserves particular attention - RCE in the Attach Tool of the transport system (CTS). Remote code execution in the transport layer is a direct risk to the integrity of the landscape through which all changes pass between DEV, QAS and PRD.
Full list of security notes - July 2026
| Note | CVE | CVSS | Priority | Product / component | Vulnerability type |
|---|---|---|---|---|---|
| 3747367 | CVE-2026-44747 | 9.9 | HotNews | SAP NetWeaver AS ABAP (kernel) | Memory Corruption |
| 3720138 | CVE-2026-27690 | 9.1 | HotNews | SAP Approuter | HTTP Request Smuggling |
| 3753495 | CVE-2026-44761 | 9.1 | HotNews | SAP Commerce Cloud | Insecure Sample Credentials |
| 3727078 | CVE-2026-40128 | 9.0 | HotNews | NetWeaver AS Java (Web Container) | Directory Traversal (June update) |
| 3758101 | CVE-2026-40860 | 8.8 | High | SAP Integration Suite (Edge Integration Cell) | Multiple Apache Camel flaws |
| 3692165 | CVE-2026-0487 | 8.4 | High | SAProuter (Windows) | DLL Hijacking |
| 3748227 | CVE-2026-44752 | 8.2 | High | NetWeaver AS Java (Configuration Wizard) | XSS |
| 3741519 | CVE-2026-44745 | 8.1 | High | SAP Approuter | Open Redirect |
| 3763800 | CVE-2026-43512 | 8.1 | High | Apache Tomcat in SAP Commerce Cloud | Multiple Apache Tomcat flaws |
| 3773304 | CVE-2026-58233 | 7.6 | High | CTS Attach Tool | Remote Code Execution |
| 3746678 | CVE-2026-44759 | 6.1 | Medium | SAP NetWeaver Enterprise Portal | XSS |
| GHSA-p8gx-753q-v89p | CVE-2026-44767 | 6.1 | Medium | ui5/webcomponents-base (< 2.21.0) | Allowlist bypass / CSS injection |
| 3537373 | CVE-2026-44769 | 5.5 | Medium | SAP S/4HANA PPM | SQL Injection |
| 3754659 | CVE-2026-44760 | 4.7 | Medium | NetWeaver AS ABAP (BSP) | XSS |
| 3515598 | CVE-2026-44771 | 4.3 | Medium | SAP S/4HANA (Draft operation) | Missing Authorization Check |
| 3713902 | CVE-2026-44770 | 4.3 | Medium | SAP S/4HANA (Create Single Payment) | Missing Authorization Check |
| 3682699 | CVE-2026-24315 | 4.2 | Medium | SAP Fiori Launchpad | Path Traversal (June update) |
| 3155685 | CVE-2026-44768 | 4.1 | Medium | SAP CRM WebClient UI | Security Misconfiguration |
| 3732522 | CVE-2026-44753 | 3.7 | Low | SAP HANA XS classic | Information Disclosure |
| 3726899 | CVE-2025-68161 | 3.3 | Low | NetWeaver AS Java | Apache Log4j (June update) |
Source: SAP Security Patch Day - July 2026 (support.sap.com) and analysis by Onapsis Research Labs. CVE numbers for some Medium/Low notes should be confirmed in the SAP Support Portal at deployment time.
Why this matters for enterprises
Companies running SAP are most often large enterprises: manufacturing, distribution, retail, utilities, public sector. For many of them, SAP is the system of record - the single source of truth for finances, inventory and business partners.
A kernel-level patch affects almost everyone. The memory corruption in note 3747367 is not a vulnerability in a single functional module. The patch is delivered through SAP kernel packages, and the range of affected versions - from 7.22 through 9.20 - is very broad. In most landscapes at least one system runs on one of these versions, regardless of whether it is ECC or S/4HANA. The question is not “does this affect me”, but “which kernel version is running on my production systems”.
NIS2 has applied since October 2024. For essential and important entities it means, among other things, an obligation to manage vulnerabilities and update systems within a reasonable timeframe. A lack of response to a HotNews note with CVSS 9.9 - combined with an incident - is a ready-made question from a supervisory authority: “when did you know and what did you do?”. At SNOK we cover this area with a NIS2 and DORA audit.
DORA for the financial sector goes further. Financial institutions are obliged to test and document operational resilience. An unpatched critical vulnerability in a transactional system is not a technical oversight - it is an operational risk that belongs in the DORA register.
The exploitation window after Patch Day. By publishing a note, SAP indirectly reveals where to look for the flaw. Researchers and attackers analyze the fixes within 24-72 hours of publication. Unpatched systems become an easier target than before Patch Day - because the location of the vulnerability is now public. For notes involving ready-made credentials (3753495) the window is even shorter.
At SNOK we see this regularly: the hardest part is not making the decision to patch, but fitting the regression test and the maintenance window into the production schedule. That is where weeks are lost.
How to act - four steps without corporate red tape
Step 1: Establish your exposure within 24 hours
Start with the kernel. Check the kernel versions on all ABAP systems (transaction SM51 / kernel patch level) and match them against the list of affected versions in note 3747367. Then identify which of the other products on the list actually run in your landscape: Approuter, Commerce Cloud, Integration Suite, SAProuter, CTS Attach Tool. This should be ready after one conversation with your Basis team.
Step 2: Prioritize by real exposure, not just CVSS
Patching order:
- ABAP kernel (3747367) - priority number one, because it affects almost every system.
- Approuter and Commerce Cloud (3720138, 3753495) - if they are exposed to the internet, respond immediately. For 3753495, remember to rotate credentials, not just apply the patch.
- CTS Attach Tool (3773304) - RCE in the transport layer; it is not HotNews, but the risk to landscape integrity is high.
Step 3: Plan the maintenance window
A regression test before deploying to production is a necessity, not an option. For HotNews notes a realistic path is: transport / kernel patch on DEV → automated or manual test → QAS → window on PRD. For critical notes, step outside the standard quarterly cycle. A kernel update usually requires a restart - factor that into the window.
Step 4: Document the decision
For environments under NIS2 or DORA, record the date, the decision-maker, the risk assessment outcome and the planned deployment date. This is not bureaucracy - it is evidence of action in case of an audit.
What SNOK recommends
We have worked with SAP Basis and SAP security for years - as practitioners, not spreadsheet consultants. July 2026 is a month with four HotNews notes, including a vulnerability in the ABAP kernel rated CVSS 9.9. This is not a routine Patch Day.
Our recommendations for production systems:
If you run any ABAP system (ECC, S/4HANA, NetWeaver): note 3747367 is patched at the kernel level and, given the broad range of versions, reaches almost every landscape. Check your kernel patch level this week.
If you have Approuter or Commerce Cloud exposed to the internet: notes 3720138 and 3753495 require an immediate response. For Commerce Cloud, rotating OAuth2 credentials is just as important as the patch itself.
If you use Integration Suite or Commerce Cloud: notes 3758101 and 3763800 patch Apache Camel and Apache Tomcat. These are open source components inside SAP products - worth including in continuous vulnerability monitoring, not only at Patch Day.
If you manage transports through CTS: note 3773304 (RCE) protects the layer through which all changes in the landscape pass.
If you need support in assessing exposure, updating the kernel or organizing a maintenance window outside the standard schedule - the SNOK Basis team is available. No sales pitch, no three-week proposal. We also support SecurityBridge deployments, which automate the mapping of security notes to your specific landscape and shorten step one from hours to minutes.
Safe Tuesday by SNOK is published regularly after every SAP Patch Day. Next edition: August 2026.
Jarosław Zdanowski - SAP Security, SNOK Sp. z o.o. SNOK: SAP · Cybersecurity · UiPath · Custom Dev · ISO 27001:2022