SAP February 2026 Updates Patch Critical CRM, S/4HANA and NetWeaver Flaws

SAP released 26 new security notes and 1 update to a previously released note for February 2026 to fix several flaws that could let attackers take over business systems. Two of these fixes address critical issues in CRM, S/4HANA, and NetWeaver Application Server ABAP.

Vulnerabilities summary:

• CVE-2026-0488 (CVSS score 9.9) - Code Injection in SAP CRM and SAP S/4HANA (Scripting Editor). This vulnerability affects versions S4FND 102 through 109, SAP_ABA 700, and WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801. The flaw impacts the Scripting Editor component and can be exploited by authenticated attackers to execute arbitrary SQL statements. A successful exploit can lead to a full compromise of the database with high impact on confidentiality, integrity, and availability of the application.
• CVE-2026-0509 (CVSS score 9.6) - Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform affecting versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19. Under certain circumstances, an authenticated, low-privileged user can perform background remote function calls without the required S_RFC authorization, potentially leading to unauthorized operations across the system.
• CVE-2026-23687 (CVSS score 8.8) - XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform
• CVE-2026-23689 (CVSS score 7.7) - Denial of Service (DOS) in SAP Supply Chain Management
• CVE-2026-24322 (CVSS score 7.7) - Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
• CVE-2026-0490 (CVSS score 7.5) - Denial of Service (DOS) in SAP BusinessObjects BI Platform
• CVE-2026-0485 (CVSS score 7.5) - Denial of Service (DOS) in SAP BusinessObjects BI Platform
• CVE-2025-12383 (CVSS score 7.4) - Race Condition in SAP Commerce Cloud
• CVE-2026-0508 (CVSS score 7.3) - Open Redirect in SAP BusinessObjects Business Intelligence Platform

The remaining seventeen security notes resolve medium- and low-severity vulnerabilities across multiple SAP products. 

Medium-severity flaws include CVE-2026-0484 (CVSS score 6.5) affecting SAP NetWeaver Application Server ABAP and SAP S/4HANA, CVE-2026-24324 (CVSS score 6.5) addressing a DoS vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools), multiple vulnerabilities (CVE-2026-0505, CVE-2026-24323) in BSP Applications of SAP Document Management System (CVSS score 6.1), CVE-2026-24328 (CVSS score 6.1) addressing an Open Redirect in Business Server Pages Application, and an updated note for CVE-2025-0059 (CVSS score 6.0) addressing an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP. Additional medium-severity issues include race condition and information disclosure flaws in SAP Commerce Cloud (CVE-2026-23684, CVE-2026-24321), an information disclosure issue in SAP Business One (CVE-2026-24319), missing authorization checks in SAP Business Workflow (CVE-2026-24312), ABAP-based SAP systems (CVE-2026-0486), SAP Fiori App (CVE-2026-23688), SAP Support Tools Plug-In (CVE-2026-23681), SAP S/4HANA Defense & Security (CVE-2026-24326), and SAP Strategic Enterprise Management (CVE-2026-24327), a Cross-Site Scripting flaw in SAP BusinessObjects Enterprise (CVE-2026-24325), and an insecure deserialization issue in SAP NetWeaver JMS service (CVE-2026-23685).

Low-severity issues include CVE-2026-23686 (CVSS score 3.4) addressing a CRLF Injection vulnerability in SAP NetWeaver Application Server Java and CVE-2026-24320 involving Memory Corruption in SAP NetWeaver and ABAP Platform (Application Server ABAP).

SAP does not mention if any of these vulnerabilities being exploited in the wild. SAP advises that users check the SAP Support Portal and apply updates ASAP.