CVE-2026-44747, a NetWeaver Application Server ABAP bug scored 9.9 under CVSS, allows an authenticated attacker to trigger memory corruption that can expose or alter data or render systems unavailable.
CVE-2026-44747: NetWeaver ABAP out‑of‑bounds write
SAP's July 2026 security updates include a critical fix for CVE-2026-44747, described as an out‑of‑bounds write flaw in SAP NetWeaver Application Server ABAP. According to the advisory, the defect lets an authenticated attacker "leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability." The vulnerability earned a CVSS score of 9.9, reflecting the potential for high impact on confidentiality, integrity, and availability when exploitation succeeds.
SAP and researchers recommend installing the updated ABAP Kernel to fully remediate the issue. As a temporary mitigation, SAP security firm Onapsis noted a proposed workaround: "As a temporary workaround the note proposes to disable all ICF nodes with a specific property in transaction SICF." Onapsis added that this workaround "will disable opening transactions in SAP GUI for HTML," making it impractical for some customers and reinforcing the guidance to apply the official kernel patch instead.
CVE-2026-27690: Approuter HTTP request/response smuggling
Also patched in the July bundle is CVE-2026-27690, a flaw affecting SAP Approuter deployments in non‑Cloud Foundry environments. The vulnerability — assigned a CVSS score of 9.1 — is an HTTP request/response smuggling issue that allows an unauthenticated attacker to send a specially crafted HTTP request. That request can cause request‑response desynchronization, which the advisory says "results in the exposure of user responses and triggers denial‑of‑service (DoS) attacks." The combination of unauthenticated access and the ability to expose responses or induce outages makes this a high‑risk defect for exposed Approuter instances.
CVE-2026-44761: Commerce Cloud sample OAuth 2.0 credentials retained in production
The third high‑severity item fixed is CVE-2026-44761 (CVSS 9.1), a use‑of‑default‑credentials vulnerability in SAP Commerce Cloud. The NIST National Vulnerability Database summarized the risk: "If left unchanged, an unauthenticated attacker could use these well‑known credentials to obtain a valid access token and invoke certain APIs to read and modify data," and that "Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability."
Onapsis traced the root cause to sample configuration scripts previously published on the SAP Help Portal. Those scripts, intended for development and testing, created OAuth 2.0 clients with hard‑coded, publicly documented credentials. Onapsis observed that "Older versions of the documentation did not explicitly warn customers against importing these default settings into production." For exploitation to succeed, Onapsis explained, a customer must have executed the sample script and retained the resulting OAuth 2.0 client in production without replacing the hard‑coded secret.
Importantly, the advisory is explicit about who is affected: customers who removed the sample client or "replaced the secret with a strong, unique value are not impacted." SAP recommends auditing production environments for the presence of the affected sample OAuth 2.0 client and removing it if found.
Onapsis and SAP's mitigation guidance
- For CVE‑2026‑44747, apply the patched ABAP Kernel. The temporary workaround—disabling ICF nodes with a specific property in transaction SICF—will disable SAP GUI for HTML transactions and therefore is not viable for all customers, according to Onapsis.
- For CVE‑2026‑27690, update Approuter deployments in non‑Cloud Foundry environments per SAP's fixes to prevent request/response desynchronization and associated data exposure or DoS.
- For CVE‑2026‑44761, audit Commerce Cloud installations for the sample OAuth 2.0 client; remove the client or replace the hard‑coded secret with a strong, unique value. Onapsis stresses that the issue arises only when sample configuration was imported into production and left unchanged.
The advisories note there is currently no evidence these three flaws have been exploited in the wild, but they recommend applying the updates "for optimal protection."
How technologists, procurement teams, and end users should act
- Technologists and security teams: prioritize installing the patched ABAP Kernel for CVE‑2026‑44747 and update Approuter and Commerce Cloud components per SAP's fixes; where the temporary SICF workaround is considered, weigh the operational impact on SAP GUI for HTML.
- Procurement and configuration teams: review change records and deployment practices to confirm that sample configuration scripts from the SAP Help Portal were not imported into production, and if they were, remove or rotate the OAuth 2.0 client secret immediately.
- End users and application owners: coordinate with platform administrators to confirm updates have been applied and to understand any temporary limitations (for example, disabled HTML GUI transactions if the SICF workaround was used).
SAP's July 2026 update bundle addresses three high‑risk vulnerabilities that together span memory corruption, request/response smuggling, and insecure default credentials. The fixes are straightforward: apply the vendor patches and, where appropriate, remove or rotate sample credentials left in production. While no exploitation has been reported, the combination of high CVSS scores and clear exploitation paths means organizations running affected NetWeaver, Approuter, or Commerce Cloud components should treat these updates as urgent.




