SAP’s June 2026 security update delivers 20 new and updated patches, including six HotNews and three High Priority notes. Two critical vulnerabilities in SAP NetWeaver AS ABAP — a SAML authentication bypass and a memory corruption flaw — carry CVSS scores of 9.9 and 9.8 respectively.
The June 2026 cycle closes with a notably high number of critical findings. Four previously undisclosed HotNews vulnerabilities were disclosed alongside two updated ones, giving administrators a significant remediation workload. The three High Priority notes include both new findings and a revision of a May advisory. Taken together, the patch set spans authentication bypass, memory management, dependency chain integrity, web application security and privilege escalation.
HotNews Note #3746332 — SAML XML Signature Wrapping (CVSS 9.9)
SAP Security Note #3746332, co-authored with the Onapsis Research Labs, patches a critical XML Signature Wrapping vulnerability in the SAML authentication layer of SAP NetWeaver AS ABAP and the ABAP Platform. The flaw permits an authenticated attacker with standard user permissions to intercept a validly signed SAML message and craft a manipulated XML document with altered identity data. Because the application fails to verify the XML signature correctly, the tampered identity information is accepted, granting the attacker unauthorized access to sensitive user data and the ability to disrupt normal system operations. The impact extends across all three pillars: confidentiality, integrity and availability. SAP’s advisory acknowledges that the only interim mitigation is to disable SAML authentication entirely — a significant operational constraint for organisations relying on federated identity management.
HotNews Note #3717897 — Memory Corruption via RFC (CVSS 9.8)
Security Note #3717897, also carrying ORL authorship, addresses a memory corruption vulnerability in the SAP NetWeaver Application Server ABAP kernel. The kernel fails to properly validate the RFC (Remote Function Call) protocol, enabling an unauthenticated attacker to send a crafted RFC request that exploits logical errors in memory management. Successful exploitation leads to memory corruption, potentially allowing arbitrary code execution or service disruption. The unauthenticated attack vector and the absence of user interaction raise the CVSS score to 9.8, placing this vulnerability among the most operationally dangerous in the current cycle.
HotNews Note #3748262 — Spring Security Header Omission (CVSS 9.1)
Note #3748262 targets a vulnerability in Spring Security as used by SAP Commerce Cloud and SAP Data Hub. Both products ship a version of the library susceptible to CVE-2026-22732. Under certain conditions, Spring Security may fail to write HTTP response headers, including critical security headers. SAP Commerce Cloud employs a multi-layered mechanism for setting HTTP security response headers; however, this mechanism provides no fallback for headers managed exclusively by Spring. The result is a meaningful reduction in client-side protection, with a substantial impact on confidentiality and integrity, while availability remains unaffected.
HotNews Note #3727078 — Directory Traversal in NetWeaver Java Web Container (CVSS 9.0)
The ORL team identified a directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container, addressed in Note #3727078. An unauthenticated attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and the processing of targeted files. The attack can expose or modify sensitive information and render portions of the local system inoperable. The combination of network accessibility without authentication and the scope of potential impact places this finding firmly in the critical tier.
Updated HotNews Notes
Two HotNews notes updated since the May cycle merit attention. Note #3747787 addresses the compromised open-source packages in SAP’s Cloud Application Programming Model and MTA Build Tool — packages that were transiently available via the npm registry on 29 April 2026. SAP has expanded the advisory to include an additional malicious npm package and supplementary hash values that allow administrators to identify vulnerable versions of affected packages. Note #3733064 (CVSS 9.6), originally published in May, remediates a missing authentication check in the configuration of SAP Commerce Cloud; the June update introduces textual revisions to the Symptom, Other Terms, Solution and Workaround sections.
High Priority Notes
Security Note #3747484 (CVSS 7.4) patches multiple known vulnerabilities in Apache Tomcat within SAP Commerce Cloud, tracked as CVE-2026-29145, CVE-2025-66614 and CVE-2026-24734. The flaws affect certificate-based authentication and validation mechanisms. The note delivers patches that upgrade Apache Tomcat to a version no longer susceptible to these CVEs.
Note #3735546 (CVSS 7.1), co-developed with Onapsis, identifies a program in the SAP NetWeaver AS ABAP and ABAP Platform that allows an authenticated attacker with low privileges to overwrite another user’s information, resulting in a privilege escalation. The restricted initial access requirement limits the theoretical CVSS score, but the escalation path makes it relevant for multi-tenant or shared environments.
SAP Security Note #373247 (CVSS 8.2), first published with ORL input in May, addresses an OS command injection vulnerability in SAP Forecasting and Replenishment. SAP has added supplementary correction instructions in the June update to ensure complete remediation.
Onapsis Research Labs Contributions — Medium Priority
Beyond the HotNews and High Priority co-authorships, ORL contributed to three medium-priority notes. Note #3751691 (CVSS 6.5) patches an SQL injection vulnerability in SAP S/4HANA: an RFC-capable function module can be exploited by an authenticated attacker to execute unauthorised database queries and access data they should not be able to read. Note #3723655 (CVSS 6.1) resolves a reflected cross-site scripting (XSS) flaw in the SAP NetWeaver AS Java JDBC Test Servlet, where an unauthenticated attacker can construct a URL embedding malicious script that executes in a victim’s browser upon interaction. Note #3715280 (CVSS 4.7) corrects a stored XSS vulnerability in SAP Wily Introscope Enterprise Manager caused by insufficient encoding of URL parameters, enabling script injection in the application context.
Assessment and Recommended Action
The June 2026 cycle is one of the more demanding in recent months, with four new HotNews disclosures and a combined CVSS footprint that reflects genuine, high-impact risks across authentication, memory safety and web layer security. Organisations running SAP NetWeaver AS ABAP should treat Notes #3746332 and #3717897 as emergency-priority items; the SAML flaw in particular has no viable workaround short of disabling the authentication mechanism. Commerce Cloud and Data Hub administrators should assess Spring Security header exposure promptly. Onapsis has confirmed that its platform is being updated to reflect the newly disclosed vulnerabilities, enabling customers to assess exposure in their own environments.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de