SAP April 2026 Security Patch Day: Critical Vulnerabilities Demand Immediate Action
SAP released its monthly Security Patch Day updates for April 2026, addressing 19 new security notes and one update to a previously released note. These patches resolve severe vulnerabilities, including critical SQL injection, Denial of Service (DoS), and code injection flaws that could compromise enterprise infrastructure. SAP strongly advises all administrators to review these updates and apply patches immediately. Read the official SAP bulletin for comprehensive details.
Critical & High-Severity Flaws
April’s release highlights urgent vulnerabilities requiring immediate remediation. Security teams should prioritize:
- Critical SQL Injection (CVE-2026-27681): Affecting SAP Business Planning and Consolidation and SAP Business Warehouse. This CVSS 9.9-rated vulnerability allows arbitrary database query execution, potentially compromising confidentiality, integrity, and availability. Apply Note 3719353 immediately.
- Missing Authorization Check (CVE-2026-34256): A high-severity flaw (CVSS 7.1) in SAP ERP and S/4 HANA (Private Cloud and On-Premise) enabling unauthorized restricted actions. Urgent deployment required.
Medium-Severity Risks
Patches address multiple medium-severity vulnerabilities across SAP’s ecosystem:
- Denial of Service in BusinessObjects: CVE-2025-64775 (CVSS 6.5) disrupts critical business analytics and reporting operations.
- Code Injection in NetWeaver: CVE-2026-27674 (CVSS 6.1) resolved in SAP NetWeaver Application Server Java.
- Cross-Site Scripting: CVE-2026-0512 mitigated in SAP Supplier Relationship Management.
- Information Disclosure: Fixed in SAP Human Capital Management and SAP HANA Cockpit.
- Landscape Transformation Flaw: CVE-2026-27675 (low severity) addressed in SAP Landscape Transformation.
Patching Recommendations
Administrators and incident response teams should:
- Review detailed security notes on SAP Support Portal.
- Prioritize Note 3719353 for the CVSS 9.9 SQL injection flaw.
- Update impacted S/4 HANA environments to prevent unauthorized access.
- Validate the updated November 2025 patch for S4CORE authorization issues.
Vulnerability Summary
| CVE ID | Description | Priority | CVSS |
|---|---|---|---|
| CVE-2026-27681 | SQL Injection in SAP Business Planning and Consolidation / SAP Business Warehouse | Critical | 9.9 |
| CVE-2026-34256 | Missing Authorization in SAP ERP and S/4 HANA (Private Cloud & On-Premise) | High | 7.1 |
| CVE-2025-64775 | Denial of Service in SAP BusinessObjects BI Platform | Medium | 6.5 |
| CVE-2026-34264 | Information Disclosure in SAP HCM for S/4HANA | Medium | 6.5 |
| CVE-2026-27674 | Code Injection in SAP NetWeaver AS Java (Web Dynpro) | Medium | 6.1 |
| CVE-2026-0512 | XSS in SAP SRM Catalog (SICF Handler) | Medium | 6.1 |
| CVE-2026-27675 | Code Injection in SAP Landscape Transformation | Low | 2.0 |
For the full list of 19 vulnerabilities, visit the SAP Security Notes Portal. Timely patching remains critical to defend against evolving enterprise cyber threats.