SAP has issued its April 2026 security notes, releasing 22 new and updated patches. The update includes one HotNews note for a SQL injection vulnerability with a CVSS score of 9.9.
SAP has published 22 new and updated security notes as part of its April 2026 Patch Day. The release contains one HotNews note rated CVSS 9.9 and two high-priority notes.
The HotNews note (SAP Security Note 3719353, CVE-2026-27681) addresses a SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. The issue exists in an ABAP program that permits a low-privileged user to upload a file containing arbitrary SQL statements, which are then executed. The patch deactivates all executable code in the affected program. SAP lists a temporary workaround that involves revoking the S_GUI authorization object (Activity 60 – Upload) from user accounts; however, this measure may affect other applications.
Two high-priority notes were also released. SAP Security Note 3678282 (CVE-2026-0485, CVSS 7.5) is an update to a denial-of-service vulnerability in SAP BusinessObjects BI Platform. SAP Security Note 3731908 (CVE-2026-34256, CVSS 7.1) fixes a missing authorization check in SAP ERP and SAP S/4HANA (private cloud and on-premise editions). The flaw allows an authenticated attacker to execute a specific ABAP program and overwrite any existing eight-character executable program.
Onapsis Research Labs supported SAP in the patching of six vulnerabilities covered by five notes, including the HotNews note. The additional notes contributed by the team are:
- SAP Security Note 3705094 (CVE-2026-34261, CVSS 6.5) – missing authorization check in SAP Business Analytics and SAP Content Management function modules
- SAP Security Note 3692004 (CVE-2026-34257, CVSS 6.1) – open redirect vulnerability in SAP NetWeaver AS ABAP
- SAP Security Note 3645228 (CVE-2026-0512, CVSS 6.1) – cross-site scripting in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)
- SAP Security Note 3703276 (CVE-2026-27672, CVSS 4.3) – missing authorization check in the Material Master application
The complete list of notes released on April 14, 2026, is as follows:
| SAP Note | Type | Description (CVE) | Component | Priority | CVSS |
| 3719353 | New | SQL Injection (CVE-2026-27681) | EPM-BPC-NW-SQE | HotNews | 9.9 |
| 3678282 | Update | Denial of service (CVE-2026-0485) | BI-BIP-SRV | High | 7.5 |
| 3731908 | New | Missing Authorization check (CVE-2026-34256) | CA-JVA-JVA | High | 7.1 |
| 3680767 | New | Information Disclosure (CVE-2026-34264) | PA-PA-XX | Medium | 6.5 |
| 3715177 | New | Missing Authorization check (CVE-2026-27678) | PM-EQM-RS | Medium | 6.5 |
| 3715097 | New | Missing Authorization check (CVE-2026-27677) | PM-EQM-EQ | Medium | 6.5 |
| 3696239 | New | Denial of Service (CVE-2025-64775) | BI-BIP-SEC | Medium | 6.5 |
| 3705094 | New | Missing Authorization check (CVE-2026-34261) | PA-OS | Medium | 6.5 |
| 3716767 | New | Missing Authorization check (CVE-2026-27679) | PM-EQM-RS | Medium | 6.5 |
| 3689080 | Update | Server-Side Request Forgery (CVE-2026-24316) | BC-TWB-TST-ECA | Medium | 6.4 |
| 3692004 | New | Open Redirect (CVE-2026-34257) | BC-FES-ITS | Medium | 6.1 |
| 3719397 | New | Code Injection (CVE-2026-27674) | BC-WD-JAV | Medium | 6.1 |
| 3645228 | New | Cross-Site Scripting (CVE-2026-0512) | SRM-EBP-CAT | Medium | 6.1 |
| 3730639 | New | Information Disclosure (CVE-2026-34262) | HAN-CPT-CPT2-DBX | Medium | 5.0 |
| 3703813 | New | Missing Authorization Check (CVE-2026-27673) | IS-U-TO-MI | Medium | 4.9 |
| 3703276 | New | Missing Authorization check (CVE-2026-27672) | SCM-BAS-INT-MD | Medium | 4.3 |
| 3711682 | New | Missing Authorization check (CVE-2026-27676) | PM-EQM-RS | Medium | 4.3 |
| 3530544 | Update | Missing Authorization check (CVE-2025-42899) | FI-FIO-GL-TRA | Medium | 4.3 |
| 3702191 | New | Insecure Session Management (CVE-2026-24318) | BI-BIP-INV | Medium | 4.2 |
| 3698216 | New | Reflected XSS (CVE-2026-27683) | BI-BIP-INV | Medium | 4.1 |
| 3665042 | Update | CSS Injection (CVE-2026-27680) | BC-WD-UR | Low | 3.1 |
| 3723097 | New | Code Injection (CVE-2026-27675) | CA-LT-PCL | Low | 2.0 |
Organizations running affected SAP systems are advised to review the notes and apply the patches according to their standard change-management processes.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de