Do Son 
SAP has marked its latest monthly security update with the release of 19 new security notes and one update to a previously issued advisory. This month’s “Patch Day” is highlighted by a critical severity vulnerability in data warehousing components, alongside a significant number of authorization-related fixes across the enterprise suite.
The most critical alert in the April batch is Note #3719353, which addresses a severe SQL Injection vulnerability (CVE-2026-27681) within SAP Business Planning and Consolidation and SAP Business Warehouse. Boasting a CVSS score of 9.9, the flaw stems from insufficient authorization checks that allow an authenticated user to execute crafted SQL statements. By exploiting this flaw, attackers could read, modify, or delete sensitive database data, severely compromising the system’s confidentiality, integrity, and availability. Affected products include several versions of SAP_BW (750–758, 816), HANABPC 810, and BPC4HANA 300.
Security teams should also prioritize Note #3731908, a high-severity “Missing Authorization check” (CVE-2026-34256) impacting SAP ERP and SAP S/4HANA. Rated with a CVSS score of 7.1, this vulnerability affects both Private Cloud and On-Premise environments. The list of impacted components is extensive, covering versions of SAPSCORE (135), S4CORE (102–109), and various financial and application modules.
The remainder of the April release addresses a variety of medium-severity threats:
- Denial of Service (DoS): A flaw (CVE-2025-64775) in the SAP BusinessObjects Business Intelligence Platform could be exploited to disrupt operations (CVSS 6.5).
- Information Disclosure: Vulnerabilities were patched in SAP Human Capital Management for S/4HANA (CVE-2026-34264) and the SAP HANA Cockpit/Database Explorer (CVE-2026-34262).
- Cross-Site Scripting (XSS): Both Reflected and standard XSS vulnerabilities were identified in the Business Intelligence Platform (CVE-2026-27683) and the Supplier Relationship Management (SRM) catalog (CVE-2026-0512).
- OData Service Weaknesses: Multiple “Missing Authorization check” notes were issued for S/4HANA OData services, including those managing reference equipment, reference structures, and technical object structures.
- Code Injection: Risks were mitigated in SAP NetWeaver Application Server Java (CVE-2026-27674) and SAP Landscape Transformation (CVE-2026-27675).
Beyond the new releases, Note #3530544 provides a critical update to a security note originally released during the November 2025 Patch Day, focusing on authorization checks in SAP S4CORE for journal entry management.
SAP administrators are encouraged to review these notes and apply patches according to their system exposure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
