SAP Security Patch Day April 2026: Critical SQL Injection and Authorization Flaws Addressed
Take action: If you are using SAP products, review the advisory in detail. Prioritize patching the critical SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse, then the high-severity missing authorization check in SAP ERP and SAP S/4 HANA. Then review the rest of the issues.
Learn More
SAP released its April 2026 security patch day advisory, addressing 20 vulnerabilities across its enterprise product suite. The update includes 19 new security notes and one update to a previously released note from November 2025. Affected products include SAP S/4HANA, Business Warehouse, BusinessObjects, and NetWeaver Application Server, requiring immediate attention from administrators to protect organizational data.
Vulnerabilities summary:
Critical and high severity flaws:
- CVE-2026-27681 (CVSS score 9.9) — A SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse that allows unauthenticated attackers to run arbitrary SQL commands. By sending specially crafted queries to the database interface, an attacker can read, modify, or delete sensitive data stored in the backend. This flaw impacts multiple versions including HANABPC 810 and SAP_BW 750 through 816.
- CVE-2026-34256 (CVSS score 7.1). This flaw exists in components like SAP_FIN and S4CORE, where the system fails to validate user permissions before executing specific business functions. Attackers can exploit this to access or modify financial records without proper clearance, potentially leading to unauthorized financial transactions or data manipulation. It affects SAP ERP and SAP S/4HANA (Private Cloud and On-Premise).
The medium-severity issues include several missing authorization checks in SAP S/4HANA OData services for Manage Reference Equipment (CVE-2026-27677), Manage Reference Structures (CVE-2026-27678, CVE-2026-27679), and Manage Technical Object Structures (CVE-2026-27676); a denial of service (CVE-2025-64775), insecure session management (CVE-2026-24318), and reflected cross-site scripting (CVE-2026-27683) in SAP BusinessObjects; information disclosure flaws in SAP HCM (CVE-2026-34264) and HANA Cockpit (CVE-2026-34262); code injection in SAP NetWeaver AS Java (CVE-2026-27674); an open redirect in SAP NetWeaver AS ABAP (CVE-2026-34257); and further authorization issues in SAP Business Analytics (CVE-2026-34261), Material Master (CVE-2026-27672), S/4HANA (CVE-2026-27673), and Manage Journal Entries (CVE-2025-42899).
A cross-site scripting vulnerability was also patched in SAP Supplier Relationship Management (CVE-2026-0512).
Low-severity issues involve CSS injection in NetWeaver AS ABAP (CVE-2026-27680) and code injection in Landscape Transformation (CVE-2026-27675).
SAP strongly recommends that customers apply these security patches immediately through the SAP Support Portal.
