SAP January 2026 Security updates patches critical S/4HANA and RCE flaws

SAP released 17 security notes for January 2026 to fix several flaws that could let attackers take over business systems. Four of these fixes address critical issues in S/4HANA, HANA databases, and management tools. 

Vulnerabilities summary:

• CVE-2026-0501 (CVSS score 9.9) - SQL Injection in S/4HANA Financials. This vulnerability affects versions S4CORE 102 through 109 and impacts a Remote Function Call-enabled module that relies on the ABAP Database Connectivity (ADBC) framework for executing native SQL statements. The SQL statement is provided through an input parameter, allowing an attacker to execute arbitrary SQL commands. This vulnerability could lead to complete system compromise, enabling attackers to access sensitive financial data, manipulate records, or execute unauthorized operations within the general ledger system.
• CVE-2026-0500 (CVSS score 9.6) - Remote Code Execution in Wily Introscope. A remote code execution flaw in SAP Wily Introscope Enterprise Manager (WorkStation) affecting version WILY_INTRO_ENTERPRISE 10.8. This vulnerability allows unauthenticated attackers to craft malicious JNLP (Java Network Launch Protocol) files that can be accessed via URLs. When a victim clicks on such a URL, the Wily Introscope Server executes commands on the victim's application.
• CVE-2026-0498 (CVSS score 9.1) - Code Injection in S/4HANA (Private Cloud and On-Premise) affecting versions S4CORE 102 through 109. This bug exists due to a remote-enabled function module that allows an attacker with admin privileges to arbitrarily modify the source code of existing programs without enforcing authentication checks, potentially leading to OS command injection and full system compromise.
• CVE-2026-0491 (CVSS score 9.1) - Code Injection in Landscape Transformation affecting versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, and 2020. This is the same vulnerable function as CVE-2026-0498, but the affected component is shipped as a separate DMIS add-on.
• CVE-2026-0492 (CVSS score 8.8) - Privilege escalation in HANA database
• CVE-2026-0507 (CVSS score 8.4) - OS Command Injection in ABAP and NetWeaver
• CVE-2026-0511 (CVSS score 8.1) - Multiple flaws in Fiori App (Intercompany Balance Reconciliation)
• CVE-2026-0506 (CVSS score 8.1) - Missing authorization in NetWeaver AS ABAP

The remaining nine security notes resolve medium- and low-severity vulnerabilities across multiple SAP products. 

Medium-severity flaws include CVE-2026-0503 (CVSS score 6.4) affecting SAP ERP Central Component and S/4HANA (SAP EHS Management), CVE-2026-0499 (CVSS score 6.1) and CVE-2026-0514 (CVSS score 6.1) addressing Cross-Site Scripting vulnerabilities in SAP NetWeaver Enterprise Portal and SAP Business Connector respectively, CVE-2026-0513 (CVSS score 4.7) addressing an Open Redirect vulnerability in SAP Supplier Relationship Management, and several 4.3-rated flaws including CVE-2026-0494, CVE-2026-0493, and CVE-2026-0497. 

Low-severity issues include CVE-2026-0504 (CVSS score 3.8) in SAP Identity Management and CVE-2026-0510 (CVSS score 3.0) involving obsolete encryption algorithms in NW AS Java UME User Mapping.

SAP advises that users check the SAP Support Portal and apply updates ASAP.