SAP Patch Day May 2026 highlights the growing cybersecurity risks facing enterprise applications and development environments. While the total number of released security updates remains within a typical range, a sophisticated supply chain attack targeting SAP-related npm packages has drawn global attention.
SAP Patch Day May 2026 once again demonstrates the increasing pressure on organizations to secure their mission-critical SAP environments. SAP released 17 new and updated Security Notes, including three HotNews Notes and one High Priority Note. The primary focus is a supply chain attack targeting SAP-related development environments.
At the center of the security warnings is HotNews Note #3747787, which addresses an attack affecting organizations using the SAP Cloud Application Programming Model (CAP). Attackers managed to inject malicious code into npm packages and temporarily distribute them through public package repositories. According to SAP, the malware was identified as a variant of “Shai-Hulud.”
The attack specifically targeted cloud credentials, service tokens, and private keys from compromised development environments. Although the malicious packages were available only for a limited number of hours, numerous systems may still have been affected if developers downloaded the compromised versions during that period.
The incident highlights the growing vulnerability of modern software supply chains. Development platforms and open-source dependencies are increasingly becoming prime targets for sophisticated cybercriminals. Traditional security controls alone are no longer sufficient. Organizations must strengthen development monitoring, third-party library validation, and CI/CD pipeline security.
Another critical issue affects SAP Commerce Cloud. SAP Security Note #3733064 received a CVSS score of 9.6 due to a missing authentication check within the platform’s configuration. The vulnerability allows unauthenticated attackers to upload malicious configuration files and potentially execute arbitrary server-side code.
The flaw once again illustrates the risks of misconfigured security rules in complex cloud environments. E-commerce platforms remain especially attractive targets because they provide direct access to customer, payment, and business data.
SAP also released Security Note #3724838 for SAP S/4HANA and SAP Enterprise Search for ABAP. The vulnerability, also rated CVSS 9.6, is a SQL injection flaw caused by insufficient input validation. Attackers could inject malicious SQL statements through user-controlled input fields.
Although the affected source code only permits read access to data, the impact on confidentiality remains significant. SQL injection continues to rank among the most dangerous attack vectors in enterprise environments.
In addition, SAP and the Onapsis Research Labs jointly released High Priority Note #3732471 for SAP Forecasting & Replenishment. The note addresses vulnerabilities in multiple function modules that could allow authenticated attackers with administrative privileges to execute arbitrary operating system commands.
Overall, SAP Patch Day May 2026 demonstrates that while the volume of security updates remains moderate, the severity and sophistication of individual vulnerabilities continue to increase. Supply chain attacks in particular are becoming one of the most critical cybersecurity threats for enterprises worldwide.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de