"SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability," SAP says.
SAP's July 2026 security package: scope and context
In its July 2026 security updates, SAP addressed 16 distinct vulnerabilities spanning multiple products, including three that the company classed as critical. The package also included fixes for six high-severity, seven medium-severity, and one low-severity issue. That wider set of corrections covered a broad range of attack vectors: DLL hijacking, open redirect, missing authorization checks, remote code execution, cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations.
SAP noted it has not yet found evidence that the vulnerabilities patched in July 2026 were exploited in the wild. The July advisory follows a June 2026 package in which SAP fixed 15 vulnerabilities, and comes after an incident in which attackers compromised multiple official SAP npm packages in a supply chain attack aimed at stealing credentials from developers' systems.
NetWeaver Application Server ABAP — CVE-2026-44747
The most immediately consequential fix addresses CVE-2026-44747, a memory corruption issue rooted in an out‑of‑bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP). SAP describes AS ABAP as the runtime environment, application server, and development platform for core SAP enterprise software.
According to the advisory, an authenticated attacker could exploit logical memory-management errors to cause memory corruption, with "high impact on confidentiality, integrity, and availability of the application." That combination — authentication required but the potential for broad data access or service disruption — is why SAP flagged the flaw as critical.
SAP Approuter (Node.js middleware) — CVE-2026-27690
The second critical vulnerability, CVE-2026-27690, is an HTTP Request Smuggling flaw in SAP Approuter, a Node.js‑based middleware library used for cloud applications deployed on SAP's Business Technology Platform (SAP BTP).
SAP said that unauthenticated attackers can exploit specially crafted HTTP requests to access user responses and trigger denial‑of‑service conditions on a targeted system. The combination of unauthenticated access and the ability to both read responses and cause service disruption accounts for the critical classification.
SAP Commerce Cloud — CVE-2026-44761
The third critical issue (CVE-2026-44761) affects SAP Commerce Cloud, the company's enterprise e-commerce platform. This flaw stems from default credentials that can allow attackers to obtain valid access tokens and then read or modify data via certain APIs.
Default-credential flaws are notable because they can convert a minor misconfiguration into full API access; SAP's advisory explicitly ties the issue to token issuance and subsequent data-read or data-modify capabilities.
What this means for security teams, CISA, and large enterprises
- Security teams and technologists: Expect to prioritize patches for NetWeaver AS ABAP, Approuter, and Commerce Cloud based on the July advisories. The mix of memory corruption, request smuggling, and default credentials means teams must look at both software updates and configuration hygiene.
- CISA and policymakers: The Cybersecurity and Infrastructure Security Agency (CISA) has previously added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog since November 2021, including two abused by ransomware gangs. That prior activity elevates the agency's interest in SAP fixes even when SAP reports no evidence of exploitation for this batch.
- Large enterprises and procurement leaders: SAP reported total revenues exceeding €36 billion in fiscal year 2025 and said it serves 99 of the 100 largest companies worldwide. Those customers, by virtue of scale and integration depth, will need to coordinate patching across deployments and verify that default credentials are remediated in Commerce Cloud instances.
Where this leaves customers and the next question for defenders
SAP's July 2026 updates close three critical gaps and a group of lower-severity issues, but they arrive against a recent history that includes a supply chain compromise of official SAP npm packages and multiple previously cataloged, exploited SAP flaws. SAP's statement that it has found no evidence of exploitation for these specific July fixes is important — but not definitive; CISA's past cataloging of exploited SAP vulnerabilities and the prior npm compromise underscore why organizations should treat the updates as urgent.
The immediate operational task for defenders is clear: confirm patch availability from SAP, apply updates for AS ABAP, Approuter, and Commerce Cloud, and eliminate default credentials where they exist. The broader question left by the advisory is whether patch cadence and configuration checks will be sufficient to prevent attackers from turning similar flaws — particularly in middleware and platform components — into footholds in large enterprise environments.




