SAP has released its April 2026 Security Patch Day update, addressing 19 new security notes and one updated note covering a wide range of vulnerabilities from a near-perfect CVSS 9.9 critical SQL injection flaw to low-severity code injection bugs.
Affecting core enterprise products, including SAP S/4HANA, SAP NetWeaver, SAP BusinessObjects, and SAP Business Planning and Consolidation.
Organizations running SAP landscapes should treat this patch cycle as a top priority, particularly given the critical-severity vulnerability with one of the highest CVSS scores in recent SAP patch history.
The most severe vulnerability patched this cycle is CVE-2026-27681 (SAP Note 3719353), a SQL Injection flaw affecting SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) with a near-maximum CVSS score of 9.9 (Critical).
This vulnerability affects versions HANABPC 810, BPC4HANA 300, and SAP_BW 750 through 816, exposing a broad range of production environments.
An authenticated, low-privileged attacker can exploit this flaw over the network without user interaction, potentially gaining full control over confidentiality, integrity, and availability.
Across system boundaries a “Scope Changed” attack vector that significantly amplifies the damage radius. Customers using any of the affected BW or BPC versions must apply SAP Note 3719353 immediately.
Missing Authorization in SAP ERP and S/4HANA
The second most critical patch addresses CVE-2026-34256 (SAP Note 3731908), a Missing Authorization Check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise) with a CVSS score of 7.1 (High).
This flaw affects a wide deployment footprint covering SAP_FIN 618/720/730, EA-FIN 617/700, SAPSCORE 135, and S4CORE versions 102 through 109, as well as EA-APPL versions 600 through 606.
Exploitation could allow an authenticated attacker to manipulate financial records or disrupt services, posing a significant risk to any organization running core financial operations on SAP ERP. The breadth of affected versions underscores the urgency for enterprise SAP teams to audit their authorization frameworks.
Authorization Gaps Across S/4HANA OData Services
Several medium-severity authorization vulnerabilities were patched across SAP S/4HANA OData services this month, all carrying a CVSS score of 6.5:
- CVE-2026-27677 (Note 3715097) Missing Authorization in SAP S/4HANA OData Service for Manage Reference Equipment (S4CORE 109), allowing unauthorized data modification.
- CVE-2026-27678 (Note 3715177) Missing Authorization in SAP S/4HANA Backend OData Service for Manage Reference Structures (S4CORE 109), with high integrity impact.
- CVE-2026-27679 (Note 3716767) Missing Authorization in SAP S/4HANA Frontend OData Service for Manage Reference Structures (UIS4H 109), exposing data modification risks.
- CVE-2026-34261 (Note 3705094) Missing Authorization in SAP Business Analytics and SAP Content Management, enabling unauthorized data exposure.
- CVE-2026-34264 (Note 3680767) Information Disclosure in SAP Human Capital Management for SAP S/4HANA, exposing sensitive HR data.
These vulnerabilities highlight a systemic pattern of authorization gaps in SAP’s OData service layer, a common attack surface for authenticated insiders or compromised credentials.
DoS, XSS, and Open Redirect Vulnerabilities Addressed
The April 2026 patch bundle also resolves several injection and redirection vulnerabilities that, while rated medium severity, carry serious abuse potential in phishing and session-hijacking scenarios:
- CVE-2025-64775 (Note 3696239) Denial of Service in SAP BusinessObjects BI Platform (CVSS 6.5), affecting ENTERPRISE 430, 2025, and 2027.
- CVE-2026-0512 (Note 3645228) Cross-Site Scripting (XSS) in SAP Supplier Relationship Management SICF Handler/SRM Catalog (CVSS 6.1), affecting SRM_SERVER 702, 713, 714.
- CVE-2026-27674 (Note 3719397) Code Injection in SAP NetWeaver AS Java (Web Dynpro Java) (CVSS 6.1), WD-RUNTIME 7.50.
- CVE-2026-34257 (Note 3692004) Open Redirect in SAP NetWeaver AS ABAP (CVSS 6.1), affecting SAP_BASIS versions 700 through 816.
These flaws can be weaponized for phishing attacks by redirecting legitimate SAP users to malicious external sites or for session theft through injected scripts.
Two vulnerabilities affect SAP HANA Cockpit and SAP BusinessObjects: CVE-2026-34262 (Note 3730639) an Information Disclosure in SAP HANA Cockpit and HANA Database Explorer (CVSS 5.0) and CVE-2026-24318 (Note 3702191) an Insecure Session Management flaw in SAP BusinessObjects BI Platform (CVSS 4.2).
While less severe, both flaws can leak sensitive system or session data to network-adjacent attackers, particularly dangerous in multi-tenant cloud environments.
CVE-2026-27675 (Note 3723097) is a Code Injection flaw in SAP Landscape Transformation with a CVSS score of 2.0 (Low), affecting DMIS versions 2011_1_700 through 2020 and S4CORE 102–109.
This vulnerability resides in an RFC-exposed function module that could allow a high-privileged attacker to inject arbitrary ABAP code and operating system commands, resulting in low-impact integrity modifications.
Recommended mitigations include applying SAP Note 3723097, restricting access to RFC-exposed function modules, and reviewing RFC user privileges.
An update was also released for CVE-2025-42899 (Note 3530544), originally published on the November 2025 Patch Day, a Missing Authorization Check in SAP S4CORE’s Manage Journal Entries function, rated CVSS 4.3, as reported by sap, affecting S4CORE versions 104 through 108. Organizations that applied the original patch should review the updated note to confirm complete remediation.
Recommended Actions for SAP Administrators
SAP strongly recommends that all customers immediately apply the relevant security notes through the SAP Support Portal. Key prioritization steps:
- Apply SAP Note 3719353 first; the CVSS score of 9.9for the SQL injection flaw in SAP BPC/BW poses the highest immediate risk.
- Patch SAP Note 3731908 for the High-severity authorization gap in SAP ERP and S/4HANA.
- Audit OData service authorization objects across all S4CORE 109 deployments to address the cluster of CVSS 6.5 missing-auth flaws.
- Review the RFC function module exposure and restrict unnecessary RFC permissions in SAP Landscape Transformation environments.
- Confirm the updated Note 3530544 has been re-applied to cover the revised scope of CVE-2025-42899.
Frequently Asked Questions (FAQs)
Q1: What is the most critical vulnerability in SAP’s April 2026 Patch Day?
CVE-2026-27681, a CVSS 9.9 SQL Injection in SAP Business Planning and Consolidation and SAP Business Warehouse (SAP Note 3719353), is the most critical and should be patched immediately.
Q2: Which SAP products are affected by the April 2026 security patches?
Affected products include SAP S/4HANA, SAP ERP, SAP NetWeaver AS ABAP/Java, SAP BusinessObjects BI Platform, SAP HANA Cockpit, SAP Business Warehouse, SAP Landscape Transformation, and SAP Supplier Relationship Management.
Q3: How can organizations prioritize which SAP security notes to apply first?
Organizations should prioritize by CVSS score, addressing the Critical (9.9) and High (7.1) severity notes first, then systematically applying Medium-severity patches based on which products are deployed in their landscape.
Q4: Where can SAP customers download the April 2026 security patches?
All patches and security notes are available through the official SAP Support Portal at support.sap.com under the Security Notes & News section.
Site: thecybrdef.com
About the Author
