SAP has released its July 2026 security updates, addressing three new critical vulnerabilities affecting NetWeaver Application Server ABAP, AppRouter, and Commerce Cloud.
The company’s July 2026 Security Patch Day bulletin lists 16 new security notes, one GitHub security advisory, and three updates to previously issued notes. The release also includes fixes for high-severity vulnerabilities involving remote code execution, DLL hijacking, cross-site scripting, open redirects, and third-party components.
The most severe new vulnerability is CVE-2026-44747, a memory corruption issue in SAP NetWeaver Application Server ABAP with a CVSS score of 9.9.
The flaw stems from logical errors in memory management and can be exploited by an authenticated attacker to cause an out-of-bounds write. Successful exploitation could allow unauthorized access to data, modification of information, or system unavailability.
Affected NetWeaver kernel versions are identified in the official SAP security bulletin. SAP recommends installing a patched ABAP Kernel version as the primary remediation.
As a temporary workaround, customers can disable all ICF nodes with a particular property through transaction SICF. However, Onapsis warns that this also disables the ability to open transactions through SAP GUI for HTML, making the workaround unsuitable for some environments.
AppRouter Vulnerable to HTTP Request Smuggling
SAP also patched CVE-2026-27690, a critical HTTP request smuggling vulnerability in AppRouter with a CVSS score of 9.1.
The issue affects SAP AppRouter Node.js packages earlier than version 20.10.0 when deployed outside Cloud Foundry environments.
An unauthenticated attacker can send a specially crafted HTTP request that causes request-response desynchronization between systems. This could allow the attacker to access responses intended for other users or cause a denial-of-service condition.
Customers should update the vulnerable Node.js package to a fixed version. SAP separately addressed a high-severity AppRouter open redirect vulnerability, CVE-2026-44745, in packages earlier than version 21.2.0.
Sample Commerce Cloud Credentials Create Access Risk
The third critical vulnerability, CVE-2026-44761, affects SAP Commerce Cloud and carries a CVSS score of 9.1.
The issue is tied to sample configuration scripts previously provided through the SAP Help Portal for development and testing. These scripts created OAuth2 clients using publicly documented, hardcoded credentials.
Older documentation did not clearly warn customers against importing the sample configuration into production. An unauthenticated attacker who knows the default credentials could obtain a valid access token and use certain APIs to read or alter Commerce Cloud data.
Not every Commerce Cloud environment is vulnerable. Exploitation requires a customer to have executed the sample script, retained the resulting OAuth2 client in production, and left the original client secret unchanged.
Customers who removed the sample client or replaced its secret with a strong and unique value are not affected.
Unlike a conventional software patch, SAP’s note updates the documentation. Administrators must manually audit production environments for the affected sample OAuth2 client and remove it when it still uses the publicly documented secret.
Additional SAP Security Updates
SAP also updated a June security note for CVE-2026-40128, a critical directory traversal vulnerability in the NetWeaver Application Server Java Web Container, to support additional packages.
Other July fixes include a remote code execution vulnerability in the Change and Transport System Attach Tool, multiple Apache Camel and Apache Tomcat vulnerabilities, and a DLL hijacking issue affecting SAProuter on Windows.
SAP has not identified evidence that the three newly disclosed critical vulnerabilities are being exploited in attacks. However, the company strongly recommends applying its July patches as a priority.
Organizations should also review exposed SAP services, restrict administrative access, verify AppRouter package versions, and audit Commerce Cloud OAuth2 clients for credentials originating from sample configurations.