SAP released 20 new and updated security notes as part of its April 2026 patch day, addressing flaws across more than a dozen enterprise products. The most severe fix is for CVE-2026-27681, a critical SQL injection in Business Planning and Consolidation and Business Warehouse that could allow arbitrary code execution. The vulnerable ABAP programme allows a low-privileged user to upload a file with arbitrary SQL statements that are then executed, according to Onapsis.
Pathlock’s senior product manager Jonathan Stross also described how the upload function could be exploited for direct database abuse, enabling an attacker to read and tamper with data without user interaction. SAP resolved the issue by completely deactivating the executable code, according to Onapsis. A second high-severity note, CVE-2026-34256, could be exploited to execute an ABAP programme and rewrite eight-character executable programmes.
The remaining notes cover medium- and low-severity vulnerabilities patched across SAP’s product stack, with guidance urging prompt application of the updates.