SAP has released 20 security notes on its June 2026 Patch Day, headlined by a CVSS 9.9 XML Signature Wrapping flaw in SAML authentication that could allow attackers to forge identities and compromise enterprise systems worldwide.
Enterprise software giant SAP has issued its most significant security update of 2026, releasing twenty new and updated security notes on its June Security Patch Day. The release addresses four critical-severity vulnerabilities — including a near-perfect CVSS 9.9 flaw in SAML authentication — that collectively pose severe risks to the enterprise resource planning (ERP) ecosystems of thousands of organizations globally. System administrators have been urged to apply patches on an emergency basis.
The most severe vulnerability patched this month, tracked as CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping weakness within the SAML authentication layer of SAP NetWeaver Application Server ABAP and ABAP Platform. According to SAP security firm Onapsis, which supported SAP in identifying and patching two of the four new critical HotNews notes, an authenticated attacker with low-level privileges can exploit this flaw to obtain a valid signed SAML message, manipulate the XML structure, and submit a modified document that the system incorrectly accepts as authentic.
"Due to improper XML signature verification, the manipulated identity information is accepted, leading to unauthorized access to sensitive user data and potential disruption of normal system usage," Onapsis explained in its advisory. Successful exploitation gives attackers the ability to impersonate other users, escalate privileges, and cause cascading disruptions to business operations — all devastating in environments using Single Sign-On (SSO) or federated authentication. The only available temporary workaround is to disable SAML authentication entirely; the permanent fix requires applying SAP Security Note 3746332.
The second critical vulnerability, CVE-2026-27671 (CVSS 9.8), is a memory corruption flaw in the Application Server ABAP kernel of SAP NetWeaver and ABAP Platform. The bug stems from improper validation of the RFC protocol — a proprietary SAP communication standard in use for over 30 years. An unauthenticated remote attacker can send a specially crafted RFC request, triggering logical errors in kernel memory management that could lead to buffer overflow or heap corruption, with potential for arbitrary code execution and complete system compromise. Unlike CVE-2026-44748, no workaround exists; organizations must apply a kernel update as outlined in SAP Security Note 3717897.
Two additional critical vulnerabilities round out the June patch cycle. CVE-2026-22732 (CVSS 9.1) affects SAP Commerce Cloud and SAP Data Hub through a Spring Security framework flaw where HTTP security response headers may fail to be written under certain conditions, leaving web clients exposed to connection hijacking. CVE-2026-40128 (CVSS 9.0) is a directory traversal flaw in SAP NetWeaver Application Server Java Web Container, allowing unauthenticated attackers to craft malicious HTTP logon requests that manipulate file inclusion parameters to access or modify sensitive server data.
The stakes for enterprises running SAP are enormous. SAP systems concentrate extraordinarily high-value data — including financial records, HR and payroll data, supply chain information, and customer master data — in a single environment. A successful breach gives attackers access to everything in one compromise, making SAP a priority target for ransomware groups, nation-state actors, and financially motivated cybercriminals. In 2026, AI-assisted attack tools have been observed reverse-engineering SAP security patches and generating working exploits within hours of release, elevating the urgency of rapid patching to a critical operational priority.
This month's patch day follows a turbulent period for SAP security. In late April 2026, the "Mini Shai-Hulud" supply chain attack poisoned four SAP NPM packages, affecting over 1,800 developers by injecting credential-stealing malware capable of harvesting passwords from Chrome, Safari, Edge, Brave, and Chromium browsers. Just weeks later, SAP's May 2026 Patch Day addressed fifteen vulnerabilities including critical SQL injection flaws in S/4HANA (CVE-2026-34260, CVSS 9.6) and SAP Commerce (CVE-2026-34263, CVSS 9.6).
Organizations looking to understand their SAP vulnerability exposure and build a proactive defense posture should consider leveraging specialized SAP security assessment tools. Platforms like tozenLabs.com provide enterprise-grade SAP security visibility, helping organizations identify unpatched systems, overprivileged users, and misconfigurations before attackers can exploit them — precisely the proactive stance that security experts recommend given the accelerating pace of SAP-targeted attacks in 2026.
The Centre for Cybersecurity Belgium has issued its own advisory urging all affected organizations to install updates with the highest priority. SAP Security Patch Day is scheduled for the second Tuesday of every month; the next update is expected in July 2026.