SAP Patches Critical NetWeaver, Commerce Vulnerabilities

Enterprise software maker SAP on Tuesday released 15 new security notes, including four that resolve critical-severity vulnerabilities in NetWeaver, Commerce, and Data Hub.

The most severe of the resolved bugs is CVE-2026-44748 (CVSS score of 9.9), described as an XML Signature Wrapping issue in the SAML Authentication of NetWeaver AS ABAP and ABAP Platform.

An authenticated attacker with normal privileges could “obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier,” application security firm Onapsis explains.

Due to the security defect, the modified identity information is accepted, providing the attacker with access to sensitive user data and potentially allowing them to disrupt normal system usage.

Disabling SAML authentication temporarily mitigates the vulnerability, Onapsis explains.

The second critical-severity flaw patched on SAP’s June 2026 security patch day is CVE-2026-27671 (CVSS score of 9.8), a memory corruption issue in NetWeaver and ABAP Platform.

...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE