SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud.
SAP NetWeaver and Commerce Cloud: the platforms at risk
SAP describes NetWeaver as its "core application platform and middleware stack" that underpins many business applications and handles functions such as application serving, integration, authentication, user management, and data processing. Commerce Cloud — formerly Hybris — is SAP's enterprise e-commerce platform for online stores, product catalogs, customer accounts, and order management for B2B and B2C commerce.
The June bulletin lists four critical vulnerabilities and several high- and medium-severity issues across those products and others. SAP warns that some flaws could allow attackers to bypass authentication, cause memory corruption, or traverse directories in server web containers.
CVE-2026-44748: XML Signature Wrapping and SAML authentication
Among the critical fixes is CVE-2026-44748, rated CVSS 9.9, which SAP characterizes as an XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform. SAP's description reads: "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage."
The bulletin flags this as a SAML-based authentication risk: tampered signed XML documents could be accepted by verifiers and lead to unauthorized access to sensitive user data and operational disruption.
CVE-2026-27671 and CVE-2026-40128: memory corruption and directory traversal
Also rated critical is CVE-2026-27671 (CVSS 9.8), described as a memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP. According to SAP, an attacker can exploit this issue without authentication by sending crafted RFC requests to vulnerable endpoints, leveraging improper kernel validation to cause memory corruption.
CVE-2026-40128 (CVSS 9.0) is a directory traversal vulnerability affecting SAP NetWeaver Application Server Java's Web Container. Directory traversal flaws can expose files and data outside intended web-folder boundaries; SAP labels this one among the critical fixes for June.
Commerce Cloud, SAP Data Hub and high-severity Tomcat issues
SAP lists CVE-2026-22732 (CVSS 9.1) as a Spring Security-related vulnerability affecting SAP Commerce Cloud and SAP Data Hub. The bulletin also addresses two high-severity items: CVE-2026-29145, which comprises multiple Apache Tomcat flaws impacting Commerce Cloud, and CVE-2026-44751, a missing authorization check issue in NetWeaver AS ABAP.
Beyond those named CVEs, SAP reports fixes for a range of common web-application weaknesses including SQL injection, path traversal, cross-site scripting (XSS), email spoofing, and authorization bypass across multiple products.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The bulletin explicitly recommends prioritizing patching for the SAML authentication flaw (CVE-2026-44748) and the memory corruption issue (CVE-2026-27671). Both are rated very high and, per SAP's descriptions, can lead to unauthorized access or be exploited without authentication. Teams running NetWeaver, Commerce Cloud, or Data Hub should inventory exposed endpoints, schedule the June patches, and restrict access to affected interfaces while updates are applied.
- Procurement and operations leaders: Commerce Cloud and NetWeaver underpin customer-facing commerce and back-office ERP functions. The presence of high-severity Apache Tomcat and Spring Security-related fixes signals a need to coordinate patch windows with business continuity plans and to verify that service providers apply SAP's updates promptly.
- End users and customers: SAP warns that acceptance of tampered identity information could expose sensitive user data and disrupt normal system usage. Organizations that hold customer accounts or process orders on Commerce Cloud should expect potential operational maintenance and communicate any planned downtime to affected users.
Access to technical details and mitigation guidance
SAP restricts the full technical details and mitigation advice to customers with a security portal account. The bulletin therefore provides the high-level CVE identifiers and severity ratings in public, but step‑by‑step workarounds and patches require access to SAP's customer security portal.
SAP's June release is succinct but pointed: multiple critical and high-severity flaws touch core authentication, memory handling, and web infrastructure in the company's flagship platforms. Organizations running those products should treat the named CVEs as immediate priorities and follow SAP's portal guidance to remediate.
