SAP Patches Critical ABAP Vulnerability

SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day. The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. “The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains. According to Pathlock senior product manager Jonathan Stross, the upload functionality could be exploited for direct database abuse, allowing an attacker to read and tamper with data without user interaction. “In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption,” Stross said. According to Onapsis, SAP resolved the issue by completely deactivating the executable code. On Tuesday, SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs. Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure, denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content, or code execution in the victim’s browser. The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application, and S4CORE. The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation. SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the security notes as soon as possible. Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities Related: SAP Patches Critical Vulnerabilities With December 2025 Security Updates WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Fake Claude Website Distributes PlugX RAT Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users Juniper Networks Patches Dozens of Junos OS Vulnerabilities Orthanc DICOM Vulnerabilities Lead to Crashes, RCE MITRE Releases Fight Fraud Framework Critical Marimo Flaw Exploited Hours After Public Disclosure Google Rolls Out Cookie Theft Protections in Chrome Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Latest News Triad Nexus Evades Sanctions to Fuel Cybercrime Google Adds Rust DNS Parser to Pixel Phones for Better Security Nightclub Giant RCI Hospitality Reports Data Breach Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Booking.com Says Hackers Accessed User Information BrowserGate: Claims of LinkedIn ‘Spying’ Clash With Security Research Findings OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack International Operation Targets Multimillion-Dollar Crypto Theft Schemes Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure. Black Duck has named Dom Glavach as Chief Information Security Officer. Finite State has named Ann Miller as Vice President of Marketing. More People On The Move Expert Insights The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email