SAP released June 2026 security updates for critical flaws in NetWeaver, Commerce Cloud, and Data Hub that could let attackers access sensitive data, crash systems, or bypass normal protections. The most severe issues are CVE-2026-44748, an XML Signature Wrapping flaw in NetWeaver AS ABAP and ABAP Platform SAML authentication rated 9.9; CVE-2026-27671, a 9.8 memory-corruption bug in the SAP kernel's RFC handling affecting NetWeaver and ABAP Platform; CVE-2026-22732, a 9.1 Spring Security header-handling issue affecting Commerce Cloud and Data Hub; and CVE-2026-40128, a 9.0 directory traversal flaw in NetWeaver Application Server Java reachable through crafted HTTP logon requests.
Why it matters: SAP systems often sit at the core of large companies' business operations, so critical flaws in NetWeaver and Commerce can have broad operational and data-security impact. Organizations using affected SAP products should review SAP's June 2026 notes, apply patches promptly, and use temporary mitigations such as disabling SAML where needed until updates are installed.
Bill Toulas
2026.06.09
98% relevant
This article is the same June 2026 SAP patch event and adds details on the full set of 15 fixes, highlighting four critical flaws including CVE-2026-44748 in NetWeaver, CVE-2026-27671 in ABAP, CVE-2026-22732 affecting Commerce Cloud and Data Hub, and CVE-2026-40128 in NetWeaver AS Java, plus two high-severity issues.
Ionut Arghire
2026.06.09
100% relevant
This article establishes a new tracked story around SAP's June 2026 Patch Day release and the specific critical CVEs affecting NetWeaver, Commerce Cloud, and Data Hub.
← Back to all stories