Enterprise software maker SAP on Tuesday released 15 new security notes, including four that resolve critical-severity vulnerabilities in NetWeaver, Commerce, and Data Hub.
The most severe of the resolved bugs is CVE-2026-44748 (CVSS score of 9.9), described as an XML Signature Wrapping issue in the SAML Authentication of NetWeaver AS ABAP and ABAP Platform.
An authenticated attacker with normal privileges could “obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier,” application security firm Onapsis explains.
Due to the security defect, the modified identity information is accepted, providing the attacker with access to sensitive user data and potentially allowing them to disrupt normal system usage.
Disabling SAML authentication temporarily mitigates the vulnerability, Onapsis explains.
The second critical-severity flaw patched on SAP’s June 2026 security patch day is CVE-2026-27671 (CVSS score of 9.8), a memory corruption issue in NetWeaver and ABAP Platform.
The bug is due to the SAP kernel’s improper validation of the RFC protocol, allowing unauthenticated attackers to send crafted requests that target logic errors in memory management.
Affecting Commerce Cloud and Data Hub, the third critical-severity weakness that SAP resolved this week is CVE-2026-22732 (CVSS score of 9.1), which impacts all applications that rely on the Spring Security framework.
“When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written,” a NIST advisory reads.
SAP on Tuesday also resolved a critical directory traversal vulnerability in NetWeaver Application Server Java (Web Container).
Tracked as CVE-2026-40128 (CVSS score of 9.0), the issue allows unauthenticated attackers to send malicious HTTP logon requests, manipulating file inclusion parameters and allowing the attacker to access sensitive information or cause denial-of-service (DoS) conditions.
On Tuesday, SAP also released a high-severity security note resolving multiple Apache Tomcat flaws in Commerce Cloud, and another to address a missing authorization check in NetWeaver and ABAP Platform.
Related: Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks
Related: Everybody Is Vibe Coding But Nobody Told the Security Team
Related: Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention
Related: CrewAI Vulnerabilities Expose Devices to Hacking
