SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud.

NetWeaver is SAP's core application platform and middleware stack that provides the foundation for many SAP business applications, including ERP systems, handling functions such as application serving, integration, authentication, user management, and data processing.

Commerce Cloud is an enterprise e-commerce platform (formerly Hybris). It enables organizations to build and manage online stores, digital sales channels, product catalogs, customer accounts, and order management systems for B2B and B2C commerce.

In this month's security bulletin, SAP lists the following critical vulnerabilities as being addressed:

• CVE-2026-44748 (CVSS 9.9) – XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform, potentially allowing authentication bypass in SAML-based environments.
• CVE-2026-27671 (CVSS 9.8) – Memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP.
• CVE-2026-22732 (CVSS 9.1) – Spring Security-related vulnerability affecting SAP Commerce Cloud and SAP Data Hub.
• CVE-2026-40128 (CVSS 9.0) – Directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container.

“SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier,” reads the description for CVE-2026-44748.

“This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage.”

In the case of CVE-2026-27671, an attacker can exploit it without authentication by sending crafted RFC requests to vulnerable endpoints, leveraging improper kernel validation to cause memory corruption.

Apart from the critical security issues above, SAP also addressed two high-severity vulnerabilities. CVE-2026-29145 comprises multiple Apache Tomcat flaws impacting Commerce Cloud, and CVE-2026-44751, which is a missing authorization check issue in NetWeaver AS ABAP.

The German enterprise software company also addressed various SQL injection, path traversal, cross-site scripting (XSS), email spoofing, and authorization bypass issues across multiple SAP products.

Details about the flaws and mitigation advice or workarounds are available only to SAP customers with a security portal account.

Organizations using the impacted products should prioritize patching, particularly the SAML authentication flaw (CVE-2026-44748) and the memory corruption issue (CVE-2026-27671), which were rated very high in severity and could have a serious impact on enterprise environments.