SAP has issued emergency patches for a cluster of critical flaws affecting its NetWeaver and Commerce platforms, the most severe being CVE-2026-44748 with a CVSS score of 9.9. The update, released as part of the June 2026 security notes, addresses four vulnerabilities rated critical and includes fixes for several Apache Tomcat issues and an authorisation check gap.
CVE-2026-44748 stems from an XML Signature Wrapping weakness in the SAML authentication module, allowing an attacker to alter identity assertions and gain unauthorized access to privileged functions. CVE-2026-27671 is a memory corruption bug in the SAP kernel that could be triggered via specially crafted remote procedure calls, potentially leading to remote code execution.
CVE-2026-22732 resides in the Spring Security framework used by certain SAP Java applications, where insufficient validation of input permits bypass of authentication checks. Finally, CVE-2026-40128 is a directory traversal vulnerability in the Java Web Container that lets an unauthenticated user read arbitrary files on the server.
Exploiting the SAML flaw requires the attacker to inject a malformed XML element into a SAML response, tricking the service provider into accepting a forged identity. The memory corruption flaw can be reached through the SAP gateway service, where a crafted payload overflows a buffer and executes arbitrary code with the privileges of the SAP instance. Directory traversal is achieved by inserting ../ sequences into URL parameters processed by the web container, granting access to configuration files or source code. Chaining these issues could allow an intruder to move from initial foothold to full system compromise.
Although no threat actors have been linked to these vulnerabilities in the wild, the high CVSS scores and the ease of exploitation make them attractive targets for opportunistic attackers. SAP’s June 2026 release contains fifteen security notes, four of which cover the critical issues described above, while the remaining notes address various Apache Tomcat flaws and a missing authorisation check in the ABAP stack. The SecurityWeek report notes that the patches are already available for download from the SAP Support Portal, and the SecurityOnline article urges administrators to prioritise immediate application.
System administrators should first verify which SAP components are exposed to the internet or internal networks, focusing on NetWeaver gateway, ABAP kernel and Java Web Container instances. Applying the relevant security notes from the June 2026 bundle is the primary mitigation, and administrators are advised to test the patches in a non‑production environment before rollout.
After deployment, reviewing authentication logs for anomalous SAML tokens and monitoring for unexpected outbound connections can help detect any attempted exploitation. Additionally, ensuring that the underlying Apache Tomcat instances are updated to the versions specified in the accompanying notes removes the secondary risk vectors.
Beyond patching, organisations should enforce the principle of least privilege on service accounts, disable any unused SOAP or REST endpoints, and place critical SAP systems behind network segmentation with strict firewall rules. Regular vulnerability scanning and subscribing to SAP security advisories will help catch similar issues before they are exploited in the wild.