Hot news note 3747367 addresses a critical memory corruption vulnerability in SAP NetWeaver Application Server ABAP, tracked as CVE-2026-44747. An authenticated attacker could exploit faulty memory-management logic to perform an out-of-bounds stack write, potentially gaining unauthorized access to data, modifying information, or causing system unavailability. The vulnerability therefore has a high impact on confidentiality, integrity, and availability. SAP’s correction introduces proper validation of allocated memory boundaries to prevent the unsafe write. Customers should implement the correction instructions, applicable Support Packages, or the ABAP Kernel patch referenced in the note. A temporary workaround is available by disabling all ICF services configured with the GUI Interface option, including /sap/bc/gui and relevant custom services. However, this disables SAP GUI for HTML functionality and may significantly disrupt operations, so SAP strongly recommends installing the kernel patch instead. Further technical information is available in SAP Knowledge Base Article 3779058.
Hot news note 3727078 addresses a critical directory traversal vulnerability in the Web Container of SAP NetWeaver Application Server Java, tracked as CVE-2026-40128. An unauthenticated remote attacker could craft a malicious HTTP logon request that manipulates file-inclusion parameters, allowing traversal outside the intended directory and processing of a local file. Successful exploitation could expose or modify sensitive information or cause parts of the system to become unavailable. The vulnerability results from insufficient path validation and has a CVSS score of 9.0, with high impact on confidentiality, integrity, and availability. SAP has corrected the issue by preventing traversal outside the intended application context. The note was re-released on July 14, 2026, with updated patch information, extending the ENGINEAPI 7.50 correction coverage from Support Package 20 through Support Package 28. Customers should implement the referenced Support Packages and patches immediately, as no workaround is available. Additional guidance is provided in SAP Note 1974464 and FAQ document 3758864.
Note 3720138 addresses a high-risk HTTP request smuggling vulnerability in SAP Approuter, tracked as CVE-2026-27690. An unauthenticated remote attacker could send a specially crafted HTTP request that causes request-response desynchronization between systems. Successful exploitation could expose other users’ responses and disrupt service availability, resulting in high impact on confidentiality and availability. The vulnerability affects SAP Approuter deployments running in non-Cloud Foundry environments, including relevant XSA scenarios. SAP has resolved the issue in Approuter version 20.10.0 and later by automatically setting DISABLE_CONNECTION_REUSE to TRUE when the application runs outside Cloud Foundry. Customers should upgrade the @sap/approuter Node.js package to version 20.10.0 or above. Organizations using SAP HANA XS Advanced should also follow the mitigation guidance in SAP Note 3770203. The vulnerability has a CVSS score of 9.1 and requires no authentication, user interaction, or elevated privileges. Additional information is available in FAQ SAP Note 3731137.
Note 3753495 addresses insecure sample OAuth2 credentials in SAP Commerce Cloud, tracked as CVE-2026-44761. SAP Commerce documentation previously included sample ImpEx scripts that created an OAuth2 client named trusted_client using publicly documented credentials intended only for development and testing. If a customer executed the script in production and retained the original client secret, an unauthenticated attacker could use the credentials to obtain a valid access token and invoke certain APIs to read or modify data. Successful exploitation has a high impact on confidentiality and integrity but does not affect availability. Customers should audit production environments for the trusted_client OAuth2 client and remove it when it still uses the documented sample secret. As an immediate temporary measure, the client secret should be rotated to a strong, randomly generated value. Environments where the sample client was removed or its secret was already replaced are not affected. SAP has also updated the relevant Commerce documentation, with further guidance available in FAQ SAP Note 3758007.