SAP security note 3746332 addresses CVE-2026-44748, an XML Signature Wrapping vulnerability in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability allows an authenticated low-privileged attacker to obtain a valid signed SAML or signed XML message, manipulate the XML structure, and submit a modified document that may still pass signature validation if the verifier processes unsigned or attacker-controlled identity elements. Successful exploitation could result in tampered SAML assertions being accepted by the SAP system, enabling unauthorized access to sensitive user data, privilege misuse, identity impersonation, and disruption of normal application processing. The issue affects the trust boundary between XML signature verification and SAML identity consumption, making it particularly relevant for systems using SSO, Web Service Security, or federated authentication. SAP has corrected the affected functions to enforce proper XML signature validation and recommends implementing the correction instructions or relevant Support Packages. Disabling SAML authentication is available as a temporary workaround but should only be used after assessing operational impact, as the permanent remediation is to apply the SAP-provided corrections.
Note 3717897 patches CVE-2026-27671, a memory corruption vulnerability in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform. The vulnerability impacts kernel-level RFC protocol handling for ABAP-based SAP systems, including SAP NetWeaver AS ABAP and ABAP Platform systems that use affected SAP Kernel patch levels. Due to improper validation of RFC protocol requests, an unauthenticated attacker could send a specially crafted RFC request to the application server and trigger logical errors in kernel memory management, potentially resulting in buffer overflow, heap overflow, or broader memory corruption conditions. Successful exploitation could compromise the confidentiality, integrity, and availability of the affected SAP application by enabling unauthorized data access, manipulation of application processing, service instability, or system disruption. SAP has corrected the issue through improved RFC protocol validation in the SAP Kernel, and remediation requires applying the relevant Kernel patch delivered through the applicable hotfix archive, such as dw.sar, or the SP Stack Kernel archives SAPEXE.SAR and SAPEXEDB.SAR. Customers should apply the latest available SAP Kernel patch level that contains the correction, review relevant regression guidance before deployment, and upgrade to a supported downward-compatible kernel where the current kernel release is out of maintenance.
Note 3727078 addresses CVE-2026-40128, a directory traversal vulnerability in the Web Container component of SAP NetWeaver Application Server Java. The vulnerability impacts Java-based SAP systems where the Web Container processes HTTP logon requests and associated file inclusion parameters. Due to insufficient path validation, an unauthenticated attacker could craft a malicious HTTP logon request that uses path traversal sequences to escape the intended application context and cause the server to process an unintended local file. Successful exploitation could expose or alter sensitive information, depending on the file reached and how it is processed, and could also affect system availability by rendering parts of the local system or application runtime unavailable. The issue is constrained by certain environmental conditions outside the attacker’s control, but the unauthenticated attack vector makes affected SAP NetWeaver AS Java systems, especially externally reachable logon endpoints, high priority for remediation. SAP has corrected the Web Container logic to prevent traversal outside the intended context, and customers should implement the referenced Support Packages and patches, with additional guidance available in SAP Note 1974464 and FAQ Note 3758864. No workaround is available, so applying the SAP-provided patches is the only effective remediation.
Note 3748262 patches CVE-2026-22732, a Spring Security vulnerability impacting SAP Commerce Cloud and SAP Data Hub through their use of vulnerable Spring Security versions. The issue affects the HTTP security header enforcement layer, where specific request paths may finalize the HTTP response before Spring Security can write required response headers, including security headers that protect against client-side and browser-mediated attack scenarios. In SAP Commerce Cloud, security headers are set through a multi-layer mechanism, but headers managed exclusively by Spring Security may not be covered by an alternate fallback path, creating a potential exposure where responses are delivered without the expected security controls. Successful exploitation could weaken browser-side protections and increase the risk of confidentiality and integrity compromise, although SAP indicates there is no impact on availability. SAP has remediated the issue by upgrading Spring Security to non-vulnerable versions in SAP Commerce Patch Release 2205.50, SAP Commerce Cloud Public Cloud Update Releases 2211.52 and 2211-jdk21.10, and SAP Data Hub Patch Releases 2205.50 and 2211.52. Customers should apply the relevant patch or update release, rebuild and redeploy SAP Commerce Cloud where applicable, and review FAQ Note 3761279 for required actions and implementation guidance.