SAP Addresses 16 Vulnerabilities, Including Three Critical Flaws in July 2026 Patch Tuesday
**SAP** has released its July 2026 security updates, patching 16 vulnerabilities across various products. The update includes three critical flaws impacting **NetWeaver**, **Commerce Cloud**, and **AppRouter**, posing significant risks to data confidentiality, integrity, and system availability.
Enterprise software giant **SAP** has rolled out its July 2026 security updates, addressing a total of 16 vulnerabilities. Among these are three critical flaws that demand immediate attention from IT security professionals.
### Critical Vulnerabilities Detailed
The first critical vulnerability, tracked as **CVE-2026-44747**, is a memory corruption issue stemming from an out-of-bounds write weakness in the **NetWeaver Application Server ABAP (AS ABAP)**. This flaw could allow an authenticated attacker to exploit logical errors in memory management, leading to unauthorized data access, modification, or system unavailability. **SAP** emphasizes the high impact on confidentiality, integrity, and availability.
The second critical flaw, **CVE-2026-27690**, is an HTTP Request Smuggling vulnerability found in **SAP Approuter**. This Node.js-based middleware library, crucial for cloud applications on **SAP Business Technology Platform (SAP BTP)**, is susceptible to unauthenticated attackers. Exploitation through specially crafted HTTP requests could grant access to user responses and enable denial-of-service attacks.
Rounding out the critical trio is **CVE-2026-44761**, affecting the **SAP Commerce Cloud** enterprise e-commerce platform. This vulnerability arises from default credentials, which attackers could leverage to obtain valid access tokens and subsequently read or modify data via specific APIs.
### Broader Security Fixes
Beyond the critical issues, **SAP**'s July 2026 advisory also details fixes for six high-severity flaws, seven medium-severity, and one low-severity vulnerability. These encompass a wide range of attack vectors, including DLL hijacking, open redirect, missing authorization checks, remote code execution, cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations.
### Historical Context and Ongoing Threats
While **SAP** has not yet found evidence of these newly patched vulnerabilities being exploited in the wild, the **CISA** has previously added 14 **SAP** security flaws to its Known Exploited Vulnerabilities catalog since November 2021. Notably, two of these past vulnerabilities were actively abused by ransomware gangs.
This latest patch cycle follows **SAP**'s June 2026 Security Patch package, which addressed 15 vulnerabilities. Furthermore, in a recent supply chain attack, official **SAP npm** packages were compromised, aiming to steal credentials from developers' systems. Given **SAP**'s significant global footprint, serving 99 of the 100 largest companies worldwide and reporting over β¬36 billion in revenues for fiscal year 2025, continuous vigilance and prompt patching are paramount for its extensive user base.