CVE-2026-34263: unauthenticated code execution in SAP Commerce Cloud
SAP's May 2026 security updates address a critical missing-authentication flaw in Commerce Cloud tracked as CVE-2026-34263. According to the advisory, an improper Spring Security configuration in Commerce Cloud permits unauthenticated attackers to upload malicious configuration and inject code, culminating in arbitrary server-side code execution. SAP characterizes the impact as high across confidentiality, integrity, and availability for affected deployments.
CVE-2026-34260: low-complexity SQL injection in S/4HANA
The second critical fix, CVE-2026-34260, concerns S/4HANA and allows actors with basic privileges to perform low-complexity SQL injection attacks. SAP's advisory says the application concatenates malicious user input directly into SQL queries without proper validation or sanitization, passing those queries to the underlying database. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. SAP rates the vulnerability as having a high impact on confidentiality and availability while integrity remains unaffected.
May 2026 advisory: breadth of fixes and severity mix
In total, SAP's May 2026 security update addresses 15 vulnerabilities across multiple products. Besides the two critical flaws, the advisory lists one high-severity issue and 11 medium-severity issues. The medium- and high-severity fixes cover a range of weaknesses including command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service (DoS).
SAP notes it has not found evidence that any of the vulnerabilities patched in this update were exploited in the wild. The advisory sits against a recent backdrop in which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog in recent years, including two that were abused in ransomware attacks.
Security teams, procurement leaders, and developers: immediate actions and concerns
- Security teams: The advisory identifies attack paths that range from unauthenticated remote code execution to privilege‑escalating SQL injection. Teams running Commerce Cloud or S/4HANA should prioritize the critical patches and validate that Spring Security configurations and input validation controls have been corrected as SAP describes.
- Procurement leaders and affected enterprises: SAP serves 99 of the 100 largest companies worldwide and reported total revenues exceeding €36 billion in fiscal year 2025; the scale amplifies operational risk if high-impact flaws go unpatched. Procurement and risk teams should confirm patching timelines with SAP product owners and demand evidence of remediation in hosted or managed environments.
- Developers: The advisory comes after a recent supply-chain compromise in which multiple official SAP npm packages were compromised to steal credentials and authentication tokens from developers' systems. Development teams must validate dependencies, rotate credentials where packages were used, and follow the updated SAP guidance on safe package usage.
Closing observation
SAP's May 2026 patches close two critical doors—one that let unauthenticated actors write and execute server-side code, the other that let low-privilege actors inject SQL—but they arrive into a large, interconnected customer base and a recent history of supply‑chain and exploited SAP flaws cataloged by CISA. SAP reports no evidence of in-the-wild exploitation for these particular fixes; nonetheless, the combination of critical remote code execution and exploitable SQL injection in core enterprise platforms underscores why rapid patching, verification of configuration changes, and scrutiny of developer-facing packages will matter in the weeks ahead.
