SAP released 19 new and updated security notes on July 2026 security patch day, addressing critical vulnerabilities. The most significant flaw is CVE-2026-44747 (CVSS 9.9), a memory corruption issue in NetWeaver Application Server ABAP, allowing data access, modification, and system unavailability. Another critical vulnerability, CVE-2026-27690 (CVSS 9.1), involves HTTP request smuggling in Approuter, permitting unauthenticated access.
A hardcoded credential issue in Commerce Cloud (CVE-2026-44761, CVSS 9.1) could grant unauthorized data access. Users are urged to apply patches or disable affected ICF nodes temporarily. Additional updates addressed high-severity flaws across various SAP products, including Integration Suite and Commerce Cloud.