SAP Addresses Critical Vulnerabilities in July 2026 Security Updates
SAP has released its July 2026 security updates, patching several critical vulnerabilities across its enterprise software suite. Among the most significant is an out-of-bounds write flaw in **SAP NetWeaver Application Server ABAP** (**CVE-2026-44747**), alongside other high-severity issues affecting **SAP Approuter** and **SAP Commerce Cloud**. IT security professionals are urged to apply these patches promptly to mitigate potential risks.
Enterprise software giant **SAP** has rolled out a series of crucial security updates as part of its July 2026 patch day. These updates target multiple vulnerabilities, including a critical flaw in **SAP NetWeaver Application Server ABAP** that could lead to significant data compromise.
### Critical Out-of-Bounds Write in NetWeaver
The most severe vulnerability addressed is **CVE-2026-44747**, boasting a CVSS score of 9.9. This out-of-bounds write flaw in **SAP NetWeaver Application Server ABAP** allows an authenticated attacker to exploit logical errors in memory management. Successful exploitation could trigger memory corruption, potentially leading to unauthorized data access, modification, or complete system unavailability.

Security firm **Onapsis** highlighted a temporary workaround involving disabling specific ICF nodes in transaction SICF. However, they strongly recommend installing the patched ABAP Kernel version, as the workaround can disable SAP GUI for HTML transactions, making it impractical for many organizations.
### Other High-Severity Flaws Addressed
**SAP** also patched two other critical vulnerabilities, both with a CVSS score of 9.1:
* **CVE-2026-27690**: An HTTP request/response smuggling flaw impacting **SAP Approuter** deployments in non-Cloud Foundry environments. An unauthenticated attacker can send a specially crafted HTTP request, causing request-response desynchronization. This can expose user responses and facilitate denial-of-service (DoS) attacks.
* **CVE-2026-44761**: A use of default credentials flaw found in **SAP Commerce Cloud**. This vulnerability stems from sample OAuth 2.0 client configurations provided in the **SAP Help Portal** documentation that retain publicly documented sample credentials.
### Default Credentials in Commerce Cloud: A Persistent Risk
Regarding **CVE-2026-44761**, the **NIST National Vulnerability Database (NVD)** describes how an unauthenticated attacker could leverage these well-known credentials to obtain a valid access token. This token could then be used to invoke specific APIs, leading to reading and modifying data. The impact on confidentiality and integrity is high, though availability remains unaffected.
**Onapsis** elaborated that this issue originates from sample configuration scripts in older versions of the **SAP Help Portal** documentation. These scripts, intended for development and testing, configured OAuth 2.0 clients with hard-coded, well-known credentials without explicit warnings against their use in production environments.
Exploitation requires customers to have executed these sample scripts and retained the resulting OAuth 2.0 client in production without replacing the hard-coded secret. Customers who have removed the sample client or replaced the secret with a strong, unique value are not affected.
### Recommendations for SAP Users
While there is no current evidence of these flaws being actively exploited in the wild, **SAP** strongly advises customers to apply the necessary updates without delay for optimal protection. Additionally, organizations running **SAP Commerce Cloud** should audit their production environments for the presence of the affected sample OAuth 2.0 client and remove it if found.