Skip to content

SAP Security Patch Day - February 2026

SAP published 29 new security notes as part of the February 2026 Patch Day (including updates and interim releases). This nearly matches the record from July 2025 and signals that 2026 is starting intensively for SAP se

SAP published 29 new security notes as part of Patch Day February 2026 (including updates and interim releases). This nearly matches the record set in July 2025 and signals that 2026 is starting intensively as far as SAP security is concerned. The set includes 3 critical (HotNews) vulnerabilities with a maximum CVSS of 9.9, and 7 High-priority vulnerabilities.

KEY THREATS:

1/ Code Injection in SAP CRM and S/4HANA Scripting Editor (CVSS 9.9),

2/ Missing Authorization check in NetWeaver AS ABAP - S_RFC bypass (CVSS 9.6),

3/ Code Injection in SAP Landscape Transformation (CVSS 9.1 - update from January),

4/ XML Signature Wrapping in NetWeaver AS ABAP (CVSS 8.8),

5/ Three DoS attacks against the BusinessObjects BI platform (CVSS 7.3–7.5).

Overview of all security notes

Critical vulnerabilities (HotNews)

Require an immediate response - patching within 24–48 hours. A detailed description of each vulnerability follows below.

SAP Note 3697099  |  CVE-2026-0488  |  CVSS: 9.9  |  HotNews

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)

Component: CRM-IC-FRW  |  Affected versions: S4FND 102–109, WEBCUIF 700–801, SAP_ABA 700

Vulnerability description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) can exploit a flaw in a generic function module call to execute unauthorised critical functions, including executing arbitrary SQL queries. This leads to full database takeover, with a high impact on confidentiality, integrity, and availability.

Resolution

The program has been extended with additional allowlist-based checks to prevent the invocation of arbitrary function modules. Correction Instructions or Support Packages specified in the security note must be implemented.

Workaround

Deactivate the SICF entry for CRM_IC_ISE: Default Host → SAP → BC → BSP → SAP → CRM_IC_ISE. Right-click and select “Deactivate Service” and confirm. Once deactivated, the old Scripting Editor will no longer be available.

Additional information: FAQ SAP Note 3709553

SAP Note 3674774  |  CVE-2026-0509  |  CVSS: 9.6  |  HotNews

Missing Authorization check in SAP NetWeaver Application Server ABAP 
and ABAP Platform

Component: BC-MID-RFC  |  Affected versions: KERNEL 7.22–9.19, KRNL64UC 7.22–7.53, KRNL64NUC 7.22 

Vulnerability description

SAP NetWeaver Application Server ABAP and ABAP Platform allow an authenticated user with low privileges to execute background remote RFC function calls without the required S_RFC authorisation. This can result in a high impact on the integrity and availability of the application, with no impact on confidentiality.

Prerequisites

Authorisation checks were not consistently enforced in certain scenarios, allowing users to perform actions beyond their authorised privileges.

Resolution

The relevant authorisation checks have been strengthened. A kernel patch must be applied and the profile parameter set: rfc/authCheckInPlayback = 2. For SAP_BASIS 7.00–7.31, the parameter must be added directly in the profile file or SAP Note 3684751 applied. For SAP_BASIS 7.40+, rz11/rz10 can be used.

NOTE: This fix introduces a regression for Kernel 7.22, 7.53, and 7.54 - in this case, SAP Note 3694152 must additionally be implemented. The change may require granting additional S_RFC authorisations to users. UCON customers may need to assign additional functions to CA.

Workaround

No workaround available.

Additional information: FAQ SAP Note 3676372

SAP Note 3697979  |  CVE-2026-0491  |  CVSS: 9.1  |  HotNews

Code Injection Vulnerability in SAP Landscape Transformation

Component: CA-DT-ANA  |  Affected versions: DMIS 2011_1_700–2020

Vulnerability description

Update to a note originally published as part of the January 2026 Patch Day. SAP Landscape Transformation allows an attacker with administrator privileges to exploit a vulnerability in a function module exposed via RFC. The flaw enables injection of arbitrary ABAP code or operating system commands, bypassing authorisation checks. The vulnerability functions as a backdoor, creating a risk of full system takeover.

February update: a cosmetic change (marked as “reported externally”). If you applied the January fix, no further action is required.

Workaround

No workaround available.

Additional information: FAQ SAP Note 3698186

High-priority vulnerabilities

Recommended patching within 1–2 weeks. A detailed description of each vulnerability follows below.

SAP Note 3697567  |  CVE-2026-23687  |  CVSS: 8.8  |  High

XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

Component: BC-SEC-WSS  |  Affected versions: SAP_BASIS 700–918

Vulnerability description

SAP NetWeaver Application Server ABAP and ABAP Platform allow an authenticated attacker with normal privileges to obtain a validly signed message and send modified signed XML documents to the verifier. This can result in the acceptance of forged identity information, unauthorised access to sensitive user data, and potential disruption of normal system operation. Full CIA impact.

Resolution

The affected functions have been improved to correctly verify the XML Signature. Support Packages and Patches specified in the note must be implemented.

Workaround

For authentication: disable SAML authentication. For other uses of signed XML documents - no workaround available.

SAP Note 3705882  |  CVE-2026-24322  |  CVSS: 7.7  |  High

Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

Component: SV-SMG-SDD  |  Affected versions: ST-PI 2008_1_700–758

Vulnerability description

SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorisation checks for authenticated users, allowing disclosure of sensitive information. High impact on confidentiality, no impact on integrity or availability. Vulnerability discovered by the SecurityBridge research team.

Resolution

The affected function module no longer discloses sensitive information. Correction Instructions or Support Packages specified in the note must be implemented.

Workaround

No workaround available.

SAP Note 3703092  |  CVE-2026-23689  |  CVSS: 7.7  |  High

Denial of service (DOS) in SAP Supply Chain Management

Component: SCM-APO-CA-COP  |  Affected versions: SCM 700–712, SCMAPO 713–

Vulnerability description

An authenticated attacker with normal privileges and network access can repeatedly call a remotely accessible function module with an excessively large loop control parameter. This triggers long-running loop execution consuming excessive system resources, potentially rendering the system unavailable. High impact on availability, no impact on confidentiality or integrity.

Prerequisites

The affected function module was accessible for Remote Function Calls (RFC).

Resolution

The issue has been mitigated by enforcing strict input validation, preventing excessive resource consumption.

Workaround

No workaround available.

SAP Note 3678282  |  CVE-2026-0485  |  CVSS: 7.5  |  High

Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform

Component: BI-BIP-SRV  |  Affected versions: ENTERPRISE 430, 2025, 2027

Vulnerability description

An unauthenticated attacker can send specially crafted requests causing the Content Management Server (CMS) to crash and automatically restart. By repeating the requests, an attacker can trigger a persistent service outage, rendering the CMS completely unavailable. The server did not correctly verify the size of input data.

Resolution

Security controls have been implemented in the communication layer of the SAP BusinessObjects BI platform, ensuring that all data exchanged between processes remains within safe size limits, preventing buffer overflows.

Workaround

Deploy the CORBA SSL configuration as described in the “Configuring backend servers for SSL” section of the “Securing the BI platform” chapter of the administrator guide. Temporary workaround only - SAP strongly recommends implementing the full fix.

SAP Note 3654236  |  CVE-2026-0490  |  CVSS: 7.5  |  High

Denial of service (DOS) in SAP BusinessObjects BI Platform

Component: BI-BIP-SRV  |  Affected versions: ENTERPRISE 430, 2025, 2027

Vulnerability description

An unauthenticated attacker can craft a specific network request to a trusted endpoint, disrupting authentication and blocking access for legitimate platform users. High impact on availability, no impact on confidentiality or integrity. The Web Application servers did not verify whether the request originated from a legitimate system.

Resolution

Customers can now configure a trusted web application endpoint with mutual TLS (mTLS), accepting requests only from trusted backend servers. After installing the patch, follow Knowledge Base Article 3672038.

Workaround

Segregate the landscape into an internal network (Web-tier and backend communication) and an external network (user access to the Web-tier). Block requests from the external network to the authorised URL.

SAP Note 3692405  |  CVE-2025-12383  |  CVSS: 7.4  |  High

Race Condition in SAP Commerce Cloud

Component: CEC-SCC-PLA-PL  |  Affected versions: HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21

Vulnerability description

Under certain conditions, SAP Commerce Cloud allows an authenticated user to bypass SSL trust validation for outbound connections due to a race condition in the Eclipse Jersey library (CVE-2025-12383). High impact on confidentiality and integrity. The issue affects only custom extensions using Jersey-based outbound connections with a custom SSL trust configuration - the default Commerce Cloud configuration is not affected.

Resolution

Update Eclipse Jersey to a version not vulnerable to CVE-2025-12383. Fix included in: Commerce Cloud Patch Release 2205.47, Update Release 2211.49, Update Release 2211-jdk21.5.

Workaround

No workaround available.

SAP Note 3674246  |  CVE-2026-0508  |  CVSS: 7.3  |  High

Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform

Component: BI-BIP-SEC  |  Affected versions: ENTERPRISE 430, 2025, 2027

Vulnerability description

An authenticated attacker with high privileges can insert a malicious URL into the application. Once clicked by the victim, an unverified redirect occurs to a domain controlled by the attacker, downloading malicious content. High impact on confidentiality and integrity, no impact on availability. The application allowed link sharing without the necessary validation.

Resolution

Server-side whitelisting has been implemented to prevent unverified redirects to third-party URLs.

Workaround

No workaround available.


Medium and low priority vulnerabilities

Planning within the regular patching cycle.

MEDIUM priority vulnerabilities

  • Note 3695912 | CVE-2026-24324 | CVSS 6.5 - Denial of service (DOS) in SAP BusinessObjects BI Platform
  • Note 3672622 | CVE-2026-0484 | CVSS 6.5 - Missing Authorization check in SAP NetWeaver AS ABAP and SAP S/4HANA
  • Note 3688319 | CVE-2026-24328 | CVSS 6.1 - Open Redirection vulnerability in BSP Application (TAF_APPLAUNCHER)
  • Note 3678417 | CVE-2026-0505 | CVSS 6.1 - Multiple vulnerabilities in BSP Applications of SAP Document Management System
  • Note 3503138 | CVE-2025-0059 | CVSS 6.0 - Information Disclosure in SAP NetWeaver AS ABAP (SAP GUI for HTML)
  • Note 3689543 | CVE-2026-23684 | CVSS 5.9 - Race condition vulnerability in SAP Commerce Cloud
  • Note 3679346 | CVE-2026-24319 | CVSS 5.8 - Information Disclosure in SAP Business One (Client Memory Dump Files)
  • Note 3687771 | CVE-2026-24321 | CVSS 5.3 - Information Disclosure vulnerability in SAP Commerce Cloud
  • Note 3710111 | CVE-2026-24312 | CVSS 5.2 - Missing authorization check in SAP Business Workflow
  • Note 3691645 | CVE-2026-0486 | CVSS 5.0 - Missing Authorization Check in ABAP based SAP systems
  • Note 3697256 | CVE-2026-24325 | CVSS 4.8 - Cross Site Scripting (XSS) in SAP BusinessObjects Enterprise (CMC)
  • Note 3687285 | CVE-2026-23685 | CVSS 4.4 - Insecure Deserialization in SAP NetWeaver (JMS service)
  • Note 3122486 | CVE-2026-23683 | CVSS 4.3 - Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)
  • Note 3215823 | CVE-2026-23688 | CVSS 4.3 - Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets)
  • Note 3678009 | CVE-2026-24326 | CVSS 4.3 - Missing authorization check in SAP S/4HANA Defense & Security
  • Note 3680390 | CVE-2026-24327 | CVSS 4.3 - Missing Authorization Check in SAP SEM (Balanced Scorecard)
  • Note 3680416 | CVE-2026-23681 | CVSS 4.3 - Missing Authorization check in a function module in SAP Support Tools Plug-In

LOW priority vulnerabilities

  • Note 3673213 | CVE-2026-23686 | CVSS 3.4 - CRLF Injection vulnerability in SAP NetWeaver AS Java
  • Note 3678313 | CVE-2026-24320 | CVSS 3.1 - Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform

SNOK recommendations

Immediate actions (0–48h)

1. SAP Note 3697099 (Code Injection SAP CRM/S/4HANA Scripting Editor) - CVSS 9.9, highest priority. If immediate patching is not possible, apply the workaround: deactivate the SICF entry for CRM_IC_ISE.

2. SAP Note 3674774 (Missing Authorization RFC bypass) - CVSS 9.6. Apply the kernel patch and set rfc/authCheckInPlayback = 2. Watch out for regressions! Also plan the allocation of additional S_RFC authorisations.

3. SAP Note 3697567 (XML Signature Wrapping) - CVSS 8.8, full CIA impact. As a temporary workaround, SAML authentication can be disabled, if acceptable within your landscape.


Short-term actions (1–2 weeks)

• Deploy patches for BusinessObjects BI Platform (3678282, 3654236, 3674246) - three High vulnerabilities, including two DoS attacks that do not require authentication

• Update SAP Supply Chain Management (3703092) - DoS via RFC, CVSS 7.7

• Patch SAP Solution Tools Plug-In ST-PI (3705882) - disclosure of sensitive information

• Update SAP Commerce Cloud (3692405) - race condition in SSL trust, affects custom Jersey extensions

• If not applied in January: SAP Note 3697979 (Code Injection in Landscape Transformation) - CVSS 9.1


Long-term actions

• Deploy automated monitoring of SAP Security Notes with alerts for HotNews and High

• Regular reviews of RFC authorisations and S_RFC objects - key for preventing Code Injection and SQL Injection

• Audit of accounts with administrator privileges - minimising the risk of Code Injection (notes 3697979, 3697099)

• Review of SAML configuration and signed XML documents across the landscape following note 3697567

• Verification of SSL/TLS configuration in Commerce Cloud, particularly in custom extensions

• Consider deploying a continuous SAP security monitoring solution (e.g. SecurityBridge)


Need support with SAP Security?

The SNOK SAP Security team is at your disposal | www.snok.ai

Would you like to see this in practice or discuss implementation for your organisation? Get in touch - we will respond within 48 hours.

Tematy: Safe Tuesday sap-security SecurityBridge SAP S/4HANA SAP BTP

Get in touch