SAP June 2026 Security Patch Day: Critical SAML Authentication Bypass Threatens Enterprise Systems Worldwide

SAP released 15 new security notes on June 9, 2026, as part of its scheduled monthly Security Patch Day. The most severe issue in this cycle is CVE-2026-44748, an XML Signature Wrapping vulnerability in the SAML authentication layer of SAP NetWeaver AS ABAP and ABAP Platform. The flaw carries a CVSS score of 9.9 — one of the highest scores possible — and allows an attacker with only basic user privileges to forge identity information and gain unauthorized access across enterprise authentication boundaries. Organizations running affected SAP_BASIS versions from 702 through 919 should treat this as an emergency patch and not wait for standard maintenance windows.

How the SAML authentication bypass works

SAML, the Security Assertion Markup Language, underpins single sign-on in most large enterprises. It passes signed XML documents between identity providers and service providers to authenticate users. CVE-2026-44748 exploits a gap in how SAP NetWeaver validates those signatures. An authenticated attacker with normal user privileges can obtain a legitimately signed SAML message and then modify the XML structure before sending it to the verifier. Because the verifier does not validate the cryptographic signature against the complete XML document, it accepts the tampered identity data. The attacker then gains access to sensitive user records and can disrupt normal system operations.

The flaw is addressed by SAP Security Note 3746332 and affects every organization using SAML-based authentication, federated identity, or Web Service Security on SAP NetWeaver. The range of affected SAP_BASIS versions — 702 through 919 — is unusually wide and covers the vast majority of production SAP landscapes currently running worldwide. As a temporary workaround, SAML authentication can be disabled, though that will break SSO workflows and does not address all signed XML use cases. The permanent fix is to apply Security Note 3746332 immediately.

Three more critical vulnerabilities patched in the same cycle

Three additional critical-severity issues were addressed alongside CVE-2026-44748. CVE-2026-27671 (CVSS 9.8) is a memory corruption vulnerability in the SAP Kernel's RFC protocol handling. Unlike the SAML flaw, this one requires no authentication at all. An attacker can send a crafted RFC request without credentials and trigger stack-based buffer overflow conditions, potentially achieving arbitrary code execution. CISA's advisory flagged this flaw as automatable, meaning attackers could exploit it at scale without manual targeting.

CVE-2026-22732 (CVSS 9.1) affects SAP Commerce Cloud and SAP Data Hub through their bundled Spring Security framework. Under certain conditions, servlet applications configured to write HTTP security response headers may deliver responses without those headers in place, opening users to connection hijacking and cache-based data exposure. CVE-2026-40128 (CVSS 9.0) is a directory traversal flaw in SAP NetWeaver Application Server Java's Web Container. Unauthenticated attackers can send malicious HTTP logon requests that manipulate file inclusion parameters to reach sensitive files or cause denial-of-service conditions.

Why SAP environments are high-value targets in 2026

SAP systems hold the financial records, payroll data, supply chain configurations, and customer master data for over 400,000 organizations worldwide. A successful breach gives an attacker access to everything in a single compromise, which is exactly why ransomware groups, nation-state actors, and financially motivated threat groups prioritize SAP environments. Security researchers have noted that AI-assisted attack tools in 2026 can reverse-engineer SAP security patches and generate working exploits within hours of release, compressing the time organizations have to respond.

This patch cycle arrives less than six weeks after the Mini Shai-Hulud supply chain attack in late April 2026, which injected malware into four SAP npm packages used by developers building SAP cloud applications. The campaign stole GitHub tokens, npm tokens, and browser-stored credentials from more than 1,800 developers in CI/CD environments before it was detected. Organizations looking to go beyond reactive patching — running continuous SAP penetration testing and automated monitoring for authentication and privilege escalation vulnerabilities before attackers find them — can explore platforms like tozenlabs.com, which specializes in enterprise ERP attack surface management and SAP-focused security advisory services.

SAP's next scheduled Security Patch Day is the second Tuesday of July 2026. Given the severity and the wide version footprint of CVE-2026-44748 and CVE-2026-27671, organizations should not wait that long to assess their exposure on the June notes.