SAP Fixes Critical ABAP Security Vulnerability
SAP Releases Patches for Critical ABAP Vulnerability
SAP recently addressed a significant security issue with the release of 20 new and updated security notes as part of its April 2026 security patch day.
Critical Vulnerabilities
- CVE-2026-27681: A critical SQL injection vulnerability affecting Business Planning and Consolidation and Business Warehouse, holding a CVSS score of 9.9.
- CVE-2026-34256: A missing authorization check in ERP and S/4 HANA, enabling an attacker to execute an ABAP program and rewrite existing eight-character executable programs.
Medium-Severity Vulnerabilities
16 security notes deal with medium-severity vulnerabilities that could result in:
- Information disclosure
- Denial-of-service attacks
- Cross-site scripting
- Code injection
- Redirection to malicious content
“According to Onapsis, SAP resolved this issue by completely disabling the executable code.” – Onapsis
SAP emphasizes the importance of applying the security patches as soon as possible, noting that none of the vulnerabilities have been detected in the wild. Users are encouraged to review the available security notes and take necessary steps to protect their systems.