SAP’s April 2026 security update addresses a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. This top-priority issue, detailed in Hot News note 3719353, stems from insufficient authorization checks and is fixed by deactivating the vulnerable code. Other high-risk patches were also released.
The April 2026 SAP Security Patch Day delivered a focused but significant set of updates, led by a critical SQL injection vulnerability. This flaw, covered by Hot News note 3719353, affects SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) and is caused by an insufficient authorization check in a user upload program. The patch resolves the issue by deactivating the executable code. Additionally, a high-risk vulnerability was patched in SAP ERP and S/4HANA via note 3731908, which addresses a missing authorization check that could allow attackers to overwrite ABAP reports. The month’s updates also included several lower-priority notes for missing authorization checks in S/4HANA and patches for Open Redirect, information disclosure, and code injection vulnerabilities across the SAP landscape.
Key Takeaways
- A critical SQL injection vulnerability was patched in SAP BPC and BW (Note 3719353).
- A high-risk authorization flaw in SAP ERP and S/4HANA could lead to report overwrites (Note 3731908).
- Multiple lower-priority notes address missing authorization checks in S/4HANA.
- Patches were also released for Open Redirect, information disclosure, and code injection flaws.
- A temporary workaround for the critical SQL injection is to restrict access to authorization object S_GUI.
What Are the Most Significant Vulnerabilities for April 2026?
The April 2026 SAP security notes are highlighted by a critical SQL injection vulnerability and a high-risk authorization flaw. The table below summarizes the most important patches released.
| SAP Note | Vulnerability Type | Affected SAP Product(s) | Risk Level |
| 3719353 | SQL Injection | SAP Business Planning and Consolidation, SAP Business Warehouse | Critical |
| 3731908 | Missing Authorization Check | SAP ERP, SAP S/4HANA | High |
| 3692004 | Open Redirect | SAP NetWeaver Application Server ABAP | Medium |
| 3719397 | Code Injection | SAP NetWeaver Application Server Java | Medium |
| 3680767 | Information Disclosure | SAP Human Capital Management (HCM) for S/4HANA | Medium |
| 3730639 | Information Disclosure | SAP HANA Cockpit, HANA Database Explorer | Medium |
What Is the Critical SQL Injection Vulnerability?
Hot News note 3719353 patches a critical SQL injection vulnerability found in SAP Business Planning and Consolidation and SAP Business Warehouse. The issue is caused by an insufficient authorization check for user uploads within a specific ABAP program. The official fix deactivates the executable code in the program, which prevents it from being executed by any user. As a temporary workaround, administrators can restrict access to the authorization object S_GUI with activity 60.
What Other High-Risk Vulnerabilities Were Patched?
Note 3731908 addresses a high-risk missing authorization check in SAP ERP and S/4HANA. This vulnerability could be exploited to overwrite ABAP reports, which would impact their availability. A recommended workaround is to restrict access to the vulnerable programs, RGJVCORG and RGJVCORX, using authorization groups.
In addition, several other lower-priority security notes were released to fix missing authorization checks in S/4HANA, including 3703813, 3715177, 3715097, 3711682, 3530544, and 3716767.
What Other Flaws Were Addressed in April 2026?
SAP also released patches for several other vulnerabilities across its product suite:
- Open Redirect: Note 3692004 fixes an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP that could be used to redirect users to malicious websites.
- Information Disclosure: Note 3680767 addresses a flaw in SAP Human Capital Management (HCM) for S/4HANA that could leak sensitive information. A separate note, 3730639, patches an information disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer related to mTLS for X.509 Certificates.
- Code Injection: Note 3719397 fixes a code injection vulnerability in the Web Dynpro runtime of SAP NetWeaver Application Server Java, which could be exploited to compromise user sessions.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability for April 2026?
The most critical vulnerability was a SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse, addressed by Hot News note 3719353. It resulted from insufficient authorization checks for user uploads.
How can the critical SQL injection vulnerability be mitigated without patching?
As a temporary workaround, administrators can restrict user access to the authorization object S_GUI with activity 60 to prevent the vulnerable upload functionality from being used.
Which SAP products were affected by high-risk authorization issues?
SAP ERP and SAP S/4HANA were affected by a high-risk missing authorization check (Note 3731908) that could allow for the overwriting of ABAP reports. Multiple other lower-priority authorization issues were also patched in S/4HANA.