SAP published 29 new security notes as part of Patch Day February 2026 (including updates and interim releases). This nearly matches the record set in July 2025 and signals that 2026 is starting intensively as far as SAP security is concerned. The set includes 3 critical (HotNews) vulnerabilities with a maximum CVSS of 9.9, and 7 High-priority vulnerabilities.
KEY THREATS:
1/ Code Injection in SAP CRM and S/4HANA Scripting Editor (CVSS 9.9),
2/ Missing Authorization check in NetWeaver AS ABAP - S_RFC bypass (CVSS 9.6),
3/ Code Injection in SAP Landscape Transformation (CVSS 9.1 - update from January),
4/ XML Signature Wrapping in NetWeaver AS ABAP (CVSS 8.8),
5/ Three DoS attacks against the BusinessObjects BI platform (CVSS 7.3–7.5).
Overview of all security notes
Critical vulnerabilities (HotNews)
Require an immediate response - patching within 24–48 hours. A detailed description of each vulnerability follows below.
SAP Note 3697099 | CVE-2026-0488 | CVSS: 9.9 | HotNews
Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)
Component: CRM-IC-FRW | Affected versions: S4FND 102–109, WEBCUIF 700–801, SAP_ABA 700
Vulnerability description
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) can exploit a flaw in a generic function module call to execute unauthorised critical functions, including executing arbitrary SQL queries. This leads to full database takeover, with a high impact on confidentiality, integrity, and availability.
Resolution
The program has been extended with additional allowlist-based checks to prevent the invocation of arbitrary function modules. Correction Instructions or Support Packages specified in the security note must be implemented.
Workaround
Deactivate the SICF entry for CRM_IC_ISE: Default Host → SAP → BC → BSP → SAP → CRM_IC_ISE. Right-click and select “Deactivate Service” and confirm. Once deactivated, the old Scripting Editor will no longer be available.
Additional information: FAQ SAP Note 3709553
SAP Note 3674774 | CVE-2026-0509 | CVSS: 9.6 | HotNews
Missing Authorization check in SAP NetWeaver Application Server ABAP
and ABAP Platform
Component: BC-MID-RFC | Affected versions: KERNEL 7.22–9.19, KRNL64UC 7.22–7.53, KRNL64NUC 7.22
Vulnerability description
SAP NetWeaver Application Server ABAP and ABAP Platform allow an authenticated user with low privileges to execute background remote RFC function calls without the required S_RFC authorisation. This can result in a high impact on the integrity and availability of the application, with no impact on confidentiality.
Prerequisites
Authorisation checks were not consistently enforced in certain scenarios, allowing users to perform actions beyond their authorised privileges.
Resolution
The relevant authorisation checks have been strengthened. A kernel patch must be applied and the profile parameter set: rfc/authCheckInPlayback = 2. For SAP_BASIS 7.00–7.31, the parameter must be added directly in the profile file or SAP Note 3684751 applied. For SAP_BASIS 7.40+, rz11/rz10 can be used.
NOTE: This fix introduces a regression for Kernel 7.22, 7.53, and 7.54 - in this case, SAP Note 3694152 must additionally be implemented. The change may require granting additional S_RFC authorisations to users. UCON customers may need to assign additional functions to CA.
Workaround
No workaround available.
Additional information: FAQ SAP Note 3676372
SAP Note 3697979 | CVE-2026-0491 | CVSS: 9.1 | HotNews
Code Injection Vulnerability in SAP Landscape Transformation
Component: CA-DT-ANA | Affected versions: DMIS 2011_1_700–2020
Vulnerability description
Update to a note originally published as part of the January 2026 Patch Day. SAP Landscape Transformation allows an attacker with administrator privileges to exploit a vulnerability in a function module exposed via RFC. The flaw enables injection of arbitrary ABAP code or operating system commands, bypassing authorisation checks. The vulnerability functions as a backdoor, creating a risk of full system takeover.
February update: a cosmetic change (marked as “reported externally”). If you applied the January fix, no further action is required.
Workaround
No workaround available.
Additional information: FAQ SAP Note 3698186
High-priority vulnerabilities
Recommended patching within 1–2 weeks. A detailed description of each vulnerability follows below.
SAP Note 3697567 | CVE-2026-23687 | CVSS: 8.8 | High
XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform
Component: BC-SEC-WSS | Affected versions: SAP_BASIS 700–918
Vulnerability description
SAP NetWeaver Application Server ABAP and ABAP Platform allow an authenticated attacker with normal privileges to obtain a validly signed message and send modified signed XML documents to the verifier. This can result in the acceptance of forged identity information, unauthorised access to sensitive user data, and potential disruption of normal system operation. Full CIA impact.
Resolution
The affected functions have been improved to correctly verify the XML Signature. Support Packages and Patches specified in the note must be implemented.
Workaround
For authentication: disable SAML authentication. For other uses of signed XML documents - no workaround available.
SAP Note 3705882 | CVE-2026-24322 | CVSS: 7.7 | High
Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
Component: SV-SMG-SDD | Affected versions: ST-PI 2008_1_700–758
Vulnerability description
SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorisation checks for authenticated users, allowing disclosure of sensitive information. High impact on confidentiality, no impact on integrity or availability. Vulnerability discovered by the SecurityBridge research team.
Resolution
The affected function module no longer discloses sensitive information. Correction Instructions or Support Packages specified in the note must be implemented.
Workaround
No workaround available.
SAP Note 3703092 | CVE-2026-23689 | CVSS: 7.7 | High
Denial of service (DOS) in SAP Supply Chain Management
Component: SCM-APO-CA-COP | Affected versions: SCM 700–712, SCMAPO 713–
Vulnerability description
An authenticated attacker with normal privileges and network access can repeatedly call a remotely accessible function module with an excessively large loop control parameter. This triggers long-running loop execution consuming excessive system resources, potentially rendering the system unavailable. High impact on availability, no impact on confidentiality or integrity.
Prerequisites
The affected function module was accessible for Remote Function Calls (RFC).
Resolution
The issue has been mitigated by enforcing strict input validation, preventing excessive resource consumption.
Workaround
No workaround available.
SAP Note 3678282 | CVE-2026-0485 | CVSS: 7.5 | High
Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform
Component: BI-BIP-SRV | Affected versions: ENTERPRISE 430, 2025, 2027
Vulnerability description
An unauthenticated attacker can send specially crafted requests causing the Content Management Server (CMS) to crash and automatically restart. By repeating the requests, an attacker can trigger a persistent service outage, rendering the CMS completely unavailable. The server did not correctly verify the size of input data.
Resolution
Security controls have been implemented in the communication layer of the SAP BusinessObjects BI platform, ensuring that all data exchanged between processes remains within safe size limits, preventing buffer overflows.
Workaround
Deploy the CORBA SSL configuration as described in the “Configuring backend servers for SSL” section of the “Securing the BI platform” chapter of the administrator guide. Temporary workaround only - SAP strongly recommends implementing the full fix.
SAP Note 3654236 | CVE-2026-0490 | CVSS: 7.5 | High
Denial of service (DOS) in SAP BusinessObjects BI Platform
Component: BI-BIP-SRV | Affected versions: ENTERPRISE 430, 2025, 2027
Vulnerability description
An unauthenticated attacker can craft a specific network request to a trusted endpoint, disrupting authentication and blocking access for legitimate platform users. High impact on availability, no impact on confidentiality or integrity. The Web Application servers did not verify whether the request originated from a legitimate system.
Resolution
Customers can now configure a trusted web application endpoint with mutual TLS (mTLS), accepting requests only from trusted backend servers. After installing the patch, follow Knowledge Base Article 3672038.
Workaround
Segregate the landscape into an internal network (Web-tier and backend communication) and an external network (user access to the Web-tier). Block requests from the external network to the authorised URL.
SAP Note 3692405 | CVE-2025-12383 | CVSS: 7.4 | High
Race Condition in SAP Commerce Cloud
Component: CEC-SCC-PLA-PL | Affected versions: HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21
Vulnerability description
Under certain conditions, SAP Commerce Cloud allows an authenticated user to bypass SSL trust validation for outbound connections due to a race condition in the Eclipse Jersey library (CVE-2025-12383). High impact on confidentiality and integrity. The issue affects only custom extensions using Jersey-based outbound connections with a custom SSL trust configuration - the default Commerce Cloud configuration is not affected.
Resolution
Update Eclipse Jersey to a version not vulnerable to CVE-2025-12383. Fix included in: Commerce Cloud Patch Release 2205.47, Update Release 2211.49, Update Release 2211-jdk21.5.
Workaround
No workaround available.
SAP Note 3674246 | CVE-2026-0508 | CVSS: 7.3 | High
Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform
Component: BI-BIP-SEC | Affected versions: ENTERPRISE 430, 2025, 2027
Vulnerability description
An authenticated attacker with high privileges can insert a malicious URL into the application. Once clicked by the victim, an unverified redirect occurs to a domain controlled by the attacker, downloading malicious content. High impact on confidentiality and integrity, no impact on availability. The application allowed link sharing without the necessary validation.
Resolution
Server-side whitelisting has been implemented to prevent unverified redirects to third-party URLs.
Workaround
No workaround available.
Medium and low priority vulnerabilities
Planning within the regular patching cycle.
MEDIUM priority vulnerabilities
- Note 3695912 | CVE-2026-24324 | CVSS 6.5 - Denial of service (DOS) in SAP BusinessObjects BI Platform
- Note 3672622 | CVE-2026-0484 | CVSS 6.5 - Missing Authorization check in SAP NetWeaver AS ABAP and SAP S/4HANA
- Note 3688319 | CVE-2026-24328 | CVSS 6.1 - Open Redirection vulnerability in BSP Application (TAF_APPLAUNCHER)
- Note 3678417 | CVE-2026-0505 | CVSS 6.1 - Multiple vulnerabilities in BSP Applications of SAP Document Management System
- Note 3503138 | CVE-2025-0059 | CVSS 6.0 - Information Disclosure in SAP NetWeaver AS ABAP (SAP GUI for HTML)
- Note 3689543 | CVE-2026-23684 | CVSS 5.9 - Race condition vulnerability in SAP Commerce Cloud
- Note 3679346 | CVE-2026-24319 | CVSS 5.8 - Information Disclosure in SAP Business One (Client Memory Dump Files)
- Note 3687771 | CVE-2026-24321 | CVSS 5.3 - Information Disclosure vulnerability in SAP Commerce Cloud
- Note 3710111 | CVE-2026-24312 | CVSS 5.2 - Missing authorization check in SAP Business Workflow
- Note 3691645 | CVE-2026-0486 | CVSS 5.0 - Missing Authorization Check in ABAP based SAP systems
- Note 3697256 | CVE-2026-24325 | CVSS 4.8 - Cross Site Scripting (XSS) in SAP BusinessObjects Enterprise (CMC)
- Note 3687285 | CVE-2026-23685 | CVSS 4.4 - Insecure Deserialization in SAP NetWeaver (JMS service)
- Note 3122486 | CVE-2026-23683 | CVSS 4.3 - Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)
- Note 3215823 | CVE-2026-23688 | CVSS 4.3 - Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets)
- Note 3678009 | CVE-2026-24326 | CVSS 4.3 - Missing authorization check in SAP S/4HANA Defense & Security
- Note 3680390 | CVE-2026-24327 | CVSS 4.3 - Missing Authorization Check in SAP SEM (Balanced Scorecard)
- Note 3680416 | CVE-2026-23681 | CVSS 4.3 - Missing Authorization check in a function module in SAP Support Tools Plug-In
LOW priority vulnerabilities
- Note 3673213 | CVE-2026-23686 | CVSS 3.4 - CRLF Injection vulnerability in SAP NetWeaver AS Java
- Note 3678313 | CVE-2026-24320 | CVSS 3.1 - Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform
SNOK recommendations
Immediate actions (0–48h)
1. SAP Note 3697099 (Code Injection SAP CRM/S/4HANA Scripting Editor) - CVSS 9.9, highest priority. If immediate patching is not possible, apply the workaround: deactivate the SICF entry for CRM_IC_ISE.
2. SAP Note 3674774 (Missing Authorization RFC bypass) - CVSS 9.6. Apply the kernel patch and set rfc/authCheckInPlayback = 2. Watch out for regressions! Also plan the allocation of additional S_RFC authorisations.
3. SAP Note 3697567 (XML Signature Wrapping) - CVSS 8.8, full CIA impact. As a temporary workaround, SAML authentication can be disabled, if acceptable within your landscape.
Short-term actions (1–2 weeks)
• Deploy patches for BusinessObjects BI Platform (3678282, 3654236, 3674246) - three High vulnerabilities, including two DoS attacks that do not require authentication
• Update SAP Supply Chain Management (3703092) - DoS via RFC, CVSS 7.7
• Patch SAP Solution Tools Plug-In ST-PI (3705882) - disclosure of sensitive information
• Update SAP Commerce Cloud (3692405) - race condition in SSL trust, affects custom Jersey extensions
• If not applied in January: SAP Note 3697979 (Code Injection in Landscape Transformation) - CVSS 9.1
Long-term actions
• Deploy automated monitoring of SAP Security Notes with alerts for HotNews and High
• Regular reviews of RFC authorisations and S_RFC objects - key for preventing Code Injection and SQL Injection
• Audit of accounts with administrator privileges - minimising the risk of Code Injection (notes 3697979, 3697099)
• Review of SAML configuration and signed XML documents across the landscape following note 3697567
• Verification of SSL/TLS configuration in Commerce Cloud, particularly in custom extensions
• Consider deploying a continuous SAP security monitoring solution (e.g. SecurityBridge)
Need support with SAP Security?
The SNOK SAP Security team is at your disposal | www.snok.ai
Would you like to see this in practice or discuss implementation for your organisation? Get in touch - we will respond within 48 hours.