SAP has published 17 new security notes as part of Patch Day January 2026. This is one of the most serious Patch Days to date - it includes 4 critical vulnerabilities (HotNews) with a maximum CVSS of 9.9.
KEY THREATS:
1/ SQL Injection in S/4HANA General Ledger (CVSS 9.9),
2/ RCE in Wily Introscope (CVSS 9.6),
3/ Code Injection in S/4HANA and Landscape Transformation (CVSS 9.1),
4/ Privilege Escalation in SAP HANA Database (CVSS 8.8).
Overview of all security notes
Critical vulnerabilities (HotNews)
Require an immediate response - patching within 24-48 hours. A detailed description of each vulnerability follows below.
SAP Note 3687749 | CVE-2026-0501 | CVSS: 9.9 | HotNews
SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger)
Component: FI-GL-GL-G | Affected versions: S4CORE 102-109
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability description
Insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) allows an authenticated user to execute crafted SQL queries in order to read, modify and delete data from the backend database. This results in a high impact on the confidentiality, integrity and availability of the application.
Prerequisites
The vulnerability only occurs where the S_RFC authorisation object configuration is incorrect.
Resolution
The issue has been fixed by generating the SQL statement internally within the function module using validated parameters, which prevents the injection of user-controlled data into the query. There is no impact on existing functionality following implementation of the security note.
Workaround
Review and restrict the S_RFC authorisation object to ensure that no external access is permitted to the function modules in the FGL_BCF function group. These function modules are intended to be called only internally by the system as part of parallel processing and must not be callable via external RFC interfaces.
Additional information: FAQ SAP Note 3700593
SAP Note 3668679 | CVE-2026-0500 | CVSS: 9.6 | HotNews
Remote Code Execution in SAP Wily Introscope Enterprise Manager (WorkStation)
Component: SV-SMG-DIA-WLY | Affected versions: WILY_INTRO_ENTERPRISE 10.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability description
A remote code execution (RCE) vulnerability in SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to create a malicious JNLP (Java Network Launch Protocol) file accessible via a URL. When the victim clicks the URL, the Wily Introscope server may execute commands on the victim’s application. This can fully compromise the confidentiality, integrity and availability of the application.
Prerequisites
The attack requires user interaction (clicking a malicious link). The attacker does not need to be authenticated.
Resolution
The JNLP generation code has been updated. All request parameters are now correctly handled and validated. This ensures correct JNLP generation without unintended or malicious code. Enterprise Manager 10.8 SP01 Patch 2 (10.8.0.220) should be installed.
Workaround
No workaround is available. As an alternative, customers can switch to the corresponding standalone workstation package from the Software Center instead of launching the application via a .jnlp file. The standalone package provides the same application functionality without relying on JNLP launching.
Additional information: FAQ SAP Note 3702381
SAP Note 3697979 | CVE-2026-0491 | CVSS: 9.1 | HotNews
Code Injection Vulnerability in SAP Landscape Transformation
Component: CA-LT-ANA | Affected versions: DMIS 2011_1_700 – 2020
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability description
SAP Landscape Transformation allows an attacker with administrator privileges to exploit a vulnerability in a function module exposed via RFC. This flaw allows the injection of arbitrary ABAP code or operating system commands into the system, bypassing the necessary authorisation checks. This vulnerability effectively acts as a backdoor, creating a risk of complete system takeover and undermining the confidentiality, integrity and availability of the system.
Prerequisites
The attacker must have administrator privileges in the SAP system.
Resolution
The issue has been fixed by removing the code causing the vulnerability. The Correction Instructions or Support Packages indicated in the security note should be implemented.
Workaround
No workaround is available for this security note.
Additional information: FAQ SAP Note 3698186
SAP Note 3694242 | CVE-2026-0498 | CVSS: 9.1 | HotNews
Code Injection Vulnerability in SAP S/4HANA (Private Cloud and On-Premise)
Component: CA-DT-ANA | Affected versions: S4CORE 102-109
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability description
SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with administrator privileges to exploit a vulnerability in a function module exposed via RFC. This flaw allows the injection of arbitrary ABAP code or OS commands into the system, bypassing the necessary authorisation checks. This vulnerability effectively acts as a backdoor, creating a risk of complete system takeover and undermining the confidentiality, integrity and availability of the system.
Prerequisites
The attacker must have administrator privileges in the SAP system.
Resolution
The issue has been fixed by removing the code causing the vulnerability. The Correction Instructions or Support Packages indicated in the security note should be implemented.
Workaround
No workaround is available for this security note.
Additional information: FAQ SAP Note 3698254
High vulnerabilities
Recommended patching within 1-2 weeks. A detailed description of each vulnerability follows below.
SAP Note 3691059 | CVE-2026-0492 | CVSS: 8.8 | High
Privilege Escalation Vulnerability in SAP HANA Database
Component: HAN-DB-SEC | Affected versions: HDB 2.00 (SPS07, SPS08)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability description
The SAP HANA database is vulnerable to privilege escalation, allowing an attacker with valid credentials of any user to switch to another user, potentially gaining administrative access. Exploiting this vulnerability could result in a complete compromise of the confidentiality, integrity and availability of the system.
Prerequisites
The attacker must possess valid credentials of any user in the SAP HANA system.
Resolution
The fix prevents unauthorised user switching. SAP HANA2 should be updated to at least the following versions: SPS07: revision 79.07, SPS08: revision 88. Note: SAP HANA2 SPS05 and SPS06 are not affected by this vulnerability.
Workaround
No workaround is available.
SAP Note 3675151 | CVE-2026-0507 | CVSS: 8.4 | High
OS Command Injection Vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK
Component: BC-MID-RFC-SDK | Affected versions: KERNEL 7.53-9.16, NWRFCSDK 7.50
CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability description
An OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK allows an authenticated attacker with administrative access and access to the adjacent network to submit specially crafted content to the server. If this content is processed by the application, it enables the execution of arbitrary operating system commands. Successful exploitation could lead to a full compromise of the confidentiality, integrity and availability of the system.
Prerequisites
If rfcExec was used as a started server and relied on the rfcExec.sec security file, the COMMAND parameter received in the request was incorrectly compared against the value in rfcExec.sec. If the values matched, the request was rejected; otherwise, the request was allowed. The wildcard value worked as expected.
Resolution
The fix introduces additional validation to prevent unauthorised OS command injection. For custom solutions based on rfcExec with NW RFC SDK 7.50, patch level 18 or later should be downloaded in accordance with SAP Note 2573790.
Workaround
No workaround is available.
SAP Note 3688703 | CVE-2026-0506 | CVSS: 8.1 | High
Missing Authorization Check in SAP NetWeaver Application Server ABAP and ABAP Platform
Component: BC-DWB-DIC-F4 | Affected versions: SAP_BASIS 700-816
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Vulnerability description
A missing authorisation check in Application Server ABAP and ABAP Platform allows an authenticated attacker to misuse an RFC function to execute form (FORM) routines in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and to invoke system functionality exposed through FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.
Prerequisites
An RFC function in Application Server ABAP was being misused to execute FORM routines (FORMs) in the ABAP system.
Resolution
This fix disables the function and removes it from future releases. The Support Packages or Correction Instructions indicated in the security note should be implemented.
Workaround
No workaround is available.
SAP Note 3565506 | CVE-2026-0511 | CVSS: 8.1 | High
Multiple Vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Component: FI-LOC-FI-RU | Affected versions: S4CORE 105-108, UIAPFI70 500-902
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability description
This security note addresses three vulnerabilities in the SAP Fiori Intercompany Balance Reconciliation application: 1) Authorization Issue [CVE-2026-0511]: The application does not perform the necessary authorisation checks for an authenticated user, resulting in privilege escalation. High impact on the confidentiality and integrity of the application. CVSS: 8.1 2) Insecure File Operations [CVE-2026-0496]: The application allows an attacker with elevated privileges to upload arbitrary files (including scripts) without proper file format validation. Low impact on the confidentiality, integrity and availability of the application. CVSS: 6.6 3) Security Misconfiguration [CVE-2026-0495]: The application allows an attacker with elevated privileges to send uploaded files to arbitrary email addresses, which could enable effective phishing campaigns. Low impact on the confidentiality, integrity and availability of the application. CVSS: 5.1
Prerequisites
The vulnerabilities stem from missing authorisation checks and a lack of adequate protection against unrestricted file uploads.
Resolution
For the authorisation issue - authorisation checks have been implemented within the application’s functionality. For the insecure file operations issue - file upload restrictions have been implemented in the application. For the security misconfiguration issue - the option to send uploaded files to arbitrary email addresses has been removed.
Workaround
Restrict access to the affected functionality to trusted users via organisational and administrative controls until the fix is implemented. This is a temporary measure, not a permanent solution.
Medium vulnerabilities
To be scheduled within the regular patching cycle.
3681523 | CVE-2026-0503 | CVSS 6.4 | Medium
Missing Authorization in SAP EHS Management
EHS-SAF | SAP ECC, S/4HANA
3666061 | CVE-2026-0514 | CVSS 6.1 | Medium
Cross-Site Scripting in SAP Business Connector
BC-MID-BUS | SAP Business Connector
3687372 | CVE-2026-0499 | CVSS 6.1 | Medium
Cross-Site Scripting in SAP NetWeaver Enterprise Portal
EP-PIN-NAV | SAP NetWeaver EP
3638716 | CVE-2026-0513 | CVSS 4.7 | Medium
Open Redirect in SAP Supplier Relationship Management
SRM-EBP-CAT | SAP SRM
3677111 | CVE-2026-0497 | CVSS 4.3 | Medium
Missing Authorization in Product Designer Web UI
PLM-PPM-PDN | BSP Application
3655229 | CVE-2026-0493 | CVSS 4.3 | Medium
CSRF in SAP Fiori App (Intercompany Balance Reconciliation)
FI-LOC-FI-RU | SAP Fiori App
3655227 | CVE-2026-0494 | CVSS 4.3 | Medium
Information Disclosure in SAP Fiori App (Intercompany Balance Reconciliation)
FI-LOC-FI-RU | SAP Fiori App
Low vulnerabilities
To be implemented during scheduled maintenance windows.
3657998 | CVE-2026-0504 | CVSS 3.8 | Low
Insufficient Input Handling in SAP Identity Management JNDI Operations
BC-IAM-IDM | SAP IdM
3593356 | CVE-2026-0510 | CVSS 3 | Low
Obsolete Encryption Algorithm in NW AS Java UME User Mapping
BC-JAS-SEC-UME | SAP NW AS Java
SNOK recommendations
Immediate actions (0-48h)
-
SAP Note 3687749 (SQL Injection S/4HANA GL) – CVSS 9.9, top priority. If immediate patching is not possible, apply the workaround: restrict the S_RFC authorisation object for the FGL_BCF function group.
-
SAP Note 3668679 (RCE Wily Introscope) – CVSS 9.6, unauthenticated attack. Immediately install Enterprise Manager 10.8 SP01 Patch 2 or switch to the standalone workstation.
-
SAP Note 3691059 (Privilege Escalation HANA) – CVSS 8.8, critical for database security. Update to SPS07 rev 79.07 or SPS08 rev 88.
Short-term actions (1-2 weeks)
• Deploy patches for Code Injection (3694242, 3697979) - these act as backdoors and require administrator privileges
• Update SAP NetWeaver RFCSDK (3675151) - OS Command Injection on the adjacent network
• Patch for SAP NetWeaver AS ABAP (3688703) - missing RFC authorisation allows FORM execution
• Review the Fiori Intercompany Balance Reconciliation application (3565506) - three related vulnerabilities
Long-term actions
• Implement automated monitoring of SAP Security Notes with alerts for HotNews
• Conduct regular reviews of RFC authorisations and S_RFC objects - key to preventing SQL Injection
• Audit accounts with administrator privileges - minimising the risk of Code Injection
• Consider implementing a continuous SAP security monitoring solution (e.g. SecurityBridge)
Need support with SAP Security?
The SNOK SAP Security team is at your disposal | www.snok.ai
Would you like to see this in practice or discuss implementation for your organisation? Contact us - we will respond within 48 hours.