TL;DR
SAP Security Patch Day July 2026 shipped 16 new security notes and one GitHub advisory. The top fix, CVE-2026-44747 (CVSS 9.9), patches a memory corruption flaw in SAP NetWeaver Application Server ABAP. Two more critical bugs affect SAP Approuter and SAP Commerce Cloud.
Why It Matters
SAP NetWeaver AS ABAP underpins many core SAP business systems. Therefore, a critical flaw in that layer touches the foundation of an enterprise’s ERP estate. This SAP Security Patch Day carries three critical notes, so patching cannot wait for a quiet maintenance window.
How the Attacks Work
CVE-2026-44747: Memory Corruption (CVSS 9.9)
An authenticated attacker can abuse logical errors in memory management. As a result, the flaw triggers memory corruption in NetWeaver AS ABAP. SAP warns this could lead to unauthorized data access, data modification, or system downtime. The impact spans confidentiality, integrity, and availability.
CVE-2026-27690: HTTP Request Smuggling (CVSS 9.1)
This flaw sits in SAP Approuter. An unauthenticated attacker can send a crafted HTTP request that desynchronizes the request-response flow. Consequently, it may expose other users’ responses or knock the system offline.
CVE-2026-44761: Insecure Sample Credentials (CVSS 9.1)
SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented credentials. If left unchanged, an unauthenticated attacker could use those well-known credentials to obtain a token and read or modify data.
Affected Versions
The memory corruption flaw affects many SAP Kernel and KRNL64 releases, including KERNEL 7.22 through 9.20. The Approuter smuggling bug affects the Node.js package below version 20.10.0. The Commerce Cloud issue affects HY_COM 2205 and COM_CLOUD 2211 builds.
Exploitation Status
SAP has not reported any in-the-wild exploitation or public proof-of-concept for these July flaws. No such activity has been confirmed at this time.
Patch and Mitigation
Administrators should apply the relevant notes without delay, and prioritize the three critical fixes first. Kernel-level flaws like CVE-2026-44747 usually require a kernel patch rather than a config change, so plan for downtime. Review the full list on the SAP Security Patch Day July 2026 bulletin. Commerce Cloud teams should also rotate any default sample OAuth2 credentials immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.