FAY sykSibTPNLnHilUDO

SAP April 2026 Security Patch Day: Critical Vulnerabilities Demand Immediate Action

SAP released its monthly Security Patch Day updates for April 2026, addressing 19 new security notes and one update to a previously released note. These patches resolve severe vulnerabilities, including critical SQL injection, Denial of Service (DoS), and code injection flaws that could compromise enterprise infrastructure. SAP strongly advises all administrators to review these updates and apply patches immediately. Read the official SAP bulletin for comprehensive details.

Critical & High-Severity Flaws

April’s release highlights urgent vulnerabilities requiring immediate remediation. Security teams should prioritize:

  • Critical SQL Injection (CVE-2026-27681): Affecting SAP Business Planning and Consolidation and SAP Business Warehouse. This CVSS 9.9-rated vulnerability allows arbitrary database query execution, potentially compromising confidentiality, integrity, and availability. Apply Note 3719353 immediately.
  • Missing Authorization Check (CVE-2026-34256): A high-severity flaw (CVSS 7.1) in SAP ERP and S/4 HANA (Private Cloud and On-Premise) enabling unauthorized restricted actions. Urgent deployment required.

Medium-Severity Risks

Patches address multiple medium-severity vulnerabilities across SAP’s ecosystem:

  • Denial of Service in BusinessObjects: CVE-2025-64775 (CVSS 6.5) disrupts critical business analytics and reporting operations.
  • Code Injection in NetWeaver: CVE-2026-27674 (CVSS 6.1) resolved in SAP NetWeaver Application Server Java.
  • Cross-Site Scripting: CVE-2026-0512 mitigated in SAP Supplier Relationship Management.
  • Information Disclosure: Fixed in SAP Human Capital Management and SAP HANA Cockpit.
  • Landscape Transformation Flaw: CVE-2026-27675 (low severity) addressed in SAP Landscape Transformation.

Patching Recommendations

Administrators and incident response teams should:

  • Review detailed security notes on SAP Support Portal.
  • Prioritize Note 3719353 for the CVSS 9.9 SQL injection flaw.
  • Update impacted S/4 HANA environments to prevent unauthorized access.
  • Validate the updated November 2025 patch for S4CORE authorization issues.

Vulnerability Summary

CVE ID Description Priority CVSS
CVE-2026-27681 SQL Injection in SAP Business Planning and Consolidation / SAP Business Warehouse Critical 9.9
CVE-2026-34256 Missing Authorization in SAP ERP and S/4 HANA (Private Cloud & On-Premise) High 7.1
CVE-2025-64775 Denial of Service in SAP BusinessObjects BI Platform Medium 6.5
CVE-2026-34264 Information Disclosure in SAP HCM for S/4HANA Medium 6.5
CVE-2026-27674 Code Injection in SAP NetWeaver AS Java (Web Dynpro) Medium 6.1
CVE-2026-0512 XSS in SAP SRM Catalog (SICF Handler) Medium 6.1
CVE-2026-27675 Code Injection in SAP Landscape Transformation Low 2.0

For the full list of 19 vulnerabilities, visit the SAP Security Notes Portal. Timely patching remains critical to defend against evolving enterprise cyber threats.

Related Articles

Back to top button