SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA

HomeCyber Security News SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA By Abinaya May 12, 2026 On May 12, 2026, SAP released its highly anticipated monthly Security Patch Day updates, addressing numerous severe security flaws across its entire enterprise software portfolio. The most alarming discovery is a critical SQL injection vulnerability in SAP S/4HANA, giving attackers a direct path to compromise core database operations. Enterprise resource planning systems are the lifeblood of modern corporate infrastructure, and vulnerabilities of this magnitude represent a catastrophic risk to data integrity. In total, SAP released fifteen new security notes this month, urging organizations to apply patches immediately to prevent potential network intrusions, massive data theft, and catastrophic system downtime. Critical Threats in SAP Enterprise Systems The defining highlight of this month’s release is SAP Security Note 3724838, which resolves a devastating SQL injection vulnerability inside the SAP Enterprise Search for Advanced Business Application Programming component of SAP S/4HANA. Tracked as CVE-2026-34260, this critical flaw carries a near-maximum CVSS severity score of 9.6 out of 10. If exploited, an attacker could execute malicious database queries, allowing them to read, modify, or permanently delete highly sensitive corporate financial data. Simultaneously, SAP addressed another critical vulnerability affecting the SAP Commerce Cloud configuration. Documented under CVE-2026-34263, with an identical CVSS score of 9.6, this missing authentication check enables external attackers to bypass security protocols entirely, leading to unauthorized system access and severe operational disruption in e-commerce. Beyond the critical-rated flaws, the May 2026 update mitigates several high and medium-severity vulnerabilities that pose significant risks to internal enterprise networks. SAP Security Note 3732471 patches a high-severity operating system command injection vulnerability within SAP Forecasting and Replenishment, designated as CVE-2026-34259 with a CVSS score of 8.2. This flaw could allow a highly privileged local attacker to execute arbitrary commands on the underlying operating system, potentially paving the way for complete host takeover and lateral movement. Furthermore, network administrators must patch a medium-severity command injection flaw in the SAP NetWeaver Application Server for ABAP, tracked as CVE-2026-40135. Security Note CVE Identifier Affected SAP Product Severity Rating CVSS Score 3724838 CVE-2026-34260 SAP S/4HANA (Enterprise Search for ABAP) Critical 9.6 3733064 CVE-2026-34263 SAP Commerce Cloud Critical 9.6 3732471 CVE-2026-34259 SAP Forecasting & Replenishment High 8.2 3730019 CVE-2026-40135 SAP NetWeaver AS for ABAP Medium 6.5 3718083 CVE-2026-40133 SAP S/4HANA Condition Maintenance Medium 6.3 3727717 CVE-2026-40137 Business Server Pages Application Medium 6.1 3667593 CVE-2026-0502 SAP BusinessObjects BI Platform Medium 5.4 3721959 CVE-2026-40132 SAP Strategic Enterprise Management Medium 5.4 3716450 CVE-2025-68161 SAP Commerce Cloud (Apache Log4j) Medium 4.8 3726583 CVE-2026-34258 SAPUI5 (Search UI) Medium 4.7 3728690 CVE-2026-27682 SAP NetWeaver AS ABAP Medium 4.7 3713521 CVE-2026-40136 SAP Financial Consolidation Medium 4.3 3718508 CVE-2026-40134 SAP Incentive and Commission Management Medium 4.3 3735359 CVE-2026-40129 SAP Application Server ABAP Medium 4.3 3726962 CVE-2026-40131 SAP HANA Deployment Infrastructure Low 3.4 Other notable fixes include missing authorization checks across various business modules, such as SAP Strategic Enterprise Management and SAP S/4HANA Condition Maintenance. Alongside dangerous cross-site scripting and cross-site request forgery vulnerabilities in the BusinessObjects Business Intelligence Platform. SAP strongly recommends that all enterprise customers visit the official support portal and apply these patches on an emergency priority basis to protect their business-critical landscapes. Delaying these crucial updates leaves environments exposed to severe exploitation, especially given the ease with which financially motivated threat actors can weaponize SQL injection and missing authentication flaws. Security operations teams must ensure all impacted products, from SAP NetWeaver down to SAPUI5 and the SAP HANA Deployment Infrastructure deploy library, are updated to the latest secure versions to maintain a robust and impenetrable defensive posture. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access Top 10 Best Interactive Malware Analysis Tools in 2026 New cPanel and WHM Flaws Enable Code Execution, DoS Attacks Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets Multiple Critical Vulnerabilities Patched in Next.js and React Server Components Latest News Cyber Security News North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware AI Critical “Cline” AI Agent Vulnerability Enables RCE Attacks Cyber Security News Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials Cyber Security News MistralAI PyPI Package Compromised to Inject Malicious Code – Microsoft Warns Chrome Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data