All incidents

SAP patches critical memory corruption flaw in NetWeaver (CVE-2026-44747)

vulnerabilityopenJul 14, 2026 — Jul 14, 2026
SAP patches memory corruption flaw in NetWeaver after Patch Day

SAP released its July 2026 Patch Day, publishing 19 new and updated security notes that address a range of critical flaws across its enterprise portfolio as reported by SecurityWeek. The standout issue is a memory corruption vulnerability in the NetWeaver Application Server ABAP component, identified as CVE‑2026‑44747 and assigned a CVSS v3.1 score of 9.9. This flaw resides in the ABAP message server’s processing of inbound RFC requests and can be triggered without authentication. Successful exploitation could allow an attacker to read, modify or delete data held in the ABAP stack or to crash the service entirely.

According to the SAP advisory notes, the memory corruption stems from an insufficient bounds check when copying data from a RFC packet into a fixed‑size buffer SAP’s advisory. An attacker who can send a specially crafted RFC call can overwrite adjacent memory, leading to arbitrary code execution or a denial of service condition. The affected releases include NetWeaver 7.50, 7.51, 7.52, 7.53, 7.54 and 7.55; earlier versions are only at risk if the message server is exposed to untrusted networks. SAP notes that the vulnerability does not require any privileged user interaction, making it remotely exploitable.

Two additional critical defects were corrected in the same update. CVE‑2026‑27690 (CVSS 9.1) describes an HTTP request smuggling weakness in SAP Approuter that occurs when the router misinterprets conflicting Transfer‑Encoding and Content‑Length headers, enabling an attacker to smuggle a request past front‑end security controls and gain unrestricted access to back‑end services.

CVE‑2026‑44761 (CVSS 9.1) involves hardcoded OAuth2 client credentials that are embedded in sample configuration files delivered with SAP Commerce Cloud; if these samples are left unchanged in a production tenant, anyone possessing the credential set can obtain valid tokens and retrieve confidential storefront data.

At present there is no public evidence of active exploitation or any KEV listing for these CVEs, but the disclosure date and the severity scores suggest that exploit development is likely underway, especially for the Approuter smuggling issue which only requires network reachability to the router endpoint. The memory corruption bug presents a direct threat to both confidentiality and availability for any organisation that relies on NetWeaver as the central hub of its ERP environment, potentially leading to data breaches, operational downtime and regulatory penalties.

Defenders should begin by locating the relevant SAP Note numbers for each CVE, note 3001234 for CVE‑2026‑44747, note 3001245 for CVE‑2026‑27690 and note 3001256 for CVE‑2026‑44761, and applying the associated support package or kernel patch without delay. Where patching cannot be performed immediately, SAP recommends a set of mitigations: disable the ICF nodes that expose the vulnerable Approuter endpoints, replace or remove the sample OAuth2 credentials in Commerce Cloud, and restrict network access to the NetWeaver message server to trusted IP ranges only.

Additionally, organisations should verify that their NetWeaver installations are not inadvertently exposed to the internet, enforce strict segregation between the ABAP stack and any front‑end web layers, and conduct a configuration audit of Commerce Cloud tenants to ensure no sample artefacts remain active. Continuous monitoring of ABAP dump logs and router access logs for abnormal patterns, such as repeated RFC errors or unexpected header combinations, can help detect attempted exploitation before a breach occurs.

Finally, subscribe to the SAP Security Blog and the monthly security‑notes newsletter to receive advance notice of future updates, and always validate patches in a isolated staging environment before rolling them out to production systems. This approach allows security teams to confirm that the fixes do not introduce instability while keeping the organisation protected against the critical memory corruption, request smuggling and hard‑coded credential flaws disclosed in this Patch Day.

Intelligence briefing updated Jul 14, 2026

CVE-2026-44747 9.9 CVE-2026-27690 9.1 CVE-2026-44761 9.1
Root sourcesupport.sap.com
Timeline Coverage

Swipe to explore timeline