SAP Releases 20 Security Notes on April 2026 Patch Day
SAP published 20 new and updated security notes on Tuesday as part of its April 2026 security patch day. The release spans a wide range of products and severity levels, with the most critical fix targeting a dangerous SQL injection vulnerability capable of enabling arbitrary code execution across two major SAP platforms.
CVE-2026-27681: A Near-Perfect CVSS Score Demands Immediate Attention
The headline flaw, tracked as CVE-2026-27681, carries a CVSS score of 9.9 — the highest rating in this batch — and resides in Business Planning and Consolidation (BPC) and Business Warehouse (BW). Software security firm Onapsis describes the root cause clearly:
The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed.
The implications of that design flaw are severe. According to Jonathan Stross, senior product manager at Pathlock, the upload functionality can be weaponized for direct database abuse, enabling an attacker to read and manipulate data without requiring any user interaction.
What a Successful Exploit Looks Like
Stross outlined a realistic attack scenario in detail:
In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption.
In other words, a low-privileged insider or compromised account could silently devastate an organization's financial data integrity. Onapsis confirmed that SAP resolved the issue by completely deactivating the executable code responsible for the vulnerable upload behavior.
High-Severity Authorization Bypass in ERP and S/4HANA
Also released on Tuesday was a security note addressing a high-severity missing authorization check affecting SAP ERP and S/4HANA. Tracked as CVE-2026-34256, this flaw could be exploited to execute an ABAP program and rewrite existing eight-character executable programs — a capability that could be misused to tamper with business logic or introduce backdoors into core enterprise workflows.
Sixteen Medium-Severity Fixes Across a Broad Product Landscape
The remaining bulk of the April patch day consists of 16 security notes — 15 new and 1 updated — all addressing medium-severity vulnerabilities. The range of potential impacts is broad and includes:
- Information disclosure
- Denial-of-service (DoS) attacks
- Cross-site scripting (XSS)
- Code injection
- Redirection to malicious content
- Code execution within the victim's browser
The affected products span a significant portion of the SAP portfolio:
- BusinessObjects
- Business Analytics
- Content Management
- S/4HANA
- Supplier Relationship Management
- NetWeaver
- HANA Cockpit and HANA Database Explorer
- Material Master Application
- S4CORE
Low-Severity Code Injection Bugs Round Out the Release
Two additional security notes address low-severity code injection vulnerabilities in NetWeaver and Landscape Transformation. While these carry a lower risk rating, unpatched code injection flaws in widely deployed middleware like NetWeaver have historically been leveraged as stepping stones in broader attack chains.
No Active Exploitation Reported — But Urgency Remains
SAP has stated that none of the vulnerabilities addressed in this patch cycle are known to be exploited in the wild at this time. Despite that, the presence of a near-maximum CVSS score on CVE-2026-27681 and its low privilege requirement make rapid patching essential. Organizations running BW, BPC, ERP, S/4HANA, or NetWeaver environments are strongly advised to review and apply the relevant security notes as soon as possible.
The April 2026 release follows a series of recent high-profile SAP patch days, including fixes for critical vulnerabilities in FS-QUO, NetWeaver, CRM, and patches issued in both January 2026 and December 2025 that also addressed critical-severity issues across the SAP product family.
Source: SecurityWeek