SAP’s May 2026 Security Patch Day released 14 security notes addressing vulnerabilities across S/4HANA, Commerce Cloud, and Forecasting & Replenishment. Two Critical-rated vulnerabilities demand immediate attention: a SQL injection in S/4HANA’s Enterprise Search ABAP layer (CVE-2026-34260, CVSS 9.6) and an unauthenticated remote code execution via misconfigured Spring Security in SAP Commerce Cloud (CVE-2026-34263, CVSS 9.6). Together they cover SAP’s most strategically important products and represent significant enterprise exposure.
CVE-2026-34260 — SQL Injection in SAP S/4HANA Enterprise Search
The vulnerability exists in SAP S/4HANA’s Enterprise Search ABAP component, where authenticated users can inject SQL through search query parameters to manipulate database queries. Exploitation requires valid SAP credentials but no elevated permissions — a standard business user account is sufficient. The impact includes full confidentiality and availability compromise of the underlying HANA database, potentially exposing the complete financial and operational dataset of the affected SAP system.
This is a CVSS 9.6 severity flaw not because of the authentication requirement, but because of the scope of accessible data. HANA databases in S/4HANA deployments typically hold finance, HR, procurement, and supply chain data for the entire enterprise. A low-privilege insider, compromised contractor account, or attacker who has obtained any SAP credential through phishing has a direct path to that dataset.
Affected versions span S/4HANA releases through the current support package. SAP has released a fix via Security Note 3733041.
CVE-2026-34263 — Unauthenticated RCE in SAP Commerce Cloud
An improper Spring Security configuration in SAP Commerce Cloud allows a completely unauthenticated remote attacker to inject malicious input resulting in arbitrary server-side code execution. No credentials are required. The full confidentiality, integrity, and availability triad is impacted. Given that Commerce Cloud is routinely internet-facing as the transactional engine for SAP e-commerce deployments, the external attack surface is broad.
The root cause is a Spring Security configuration gap that fails to enforce authentication on specific API endpoints used during request processing. An attacker who identifies the endpoint can send crafted input that executes on the Commerce Cloud application server. SAP has patched this via Security Note 3733064.
Additional Notable Fixes
| CVE | Product | CVSS | Issue |
|---|---|---|---|
| CVE-2026-34259 | SAP Forecasting & Replenishment | 8.2 | OS command execution, authenticated |
| CVE-2026-40135 | SAP ERP | 6.5 | Information disclosure |
Why It Matters
SAP systems are high-value targets for financially motivated and state-sponsored attackers precisely because they concentrate financial, HR, and operational data in a single platform. The Commerce Cloud vulnerability is particularly concerning because it is unauthenticated and commonly internet-facing — no prior access is needed. Threat actors who have previously targeted SAP systems, including APT groups documented in SAP threat intelligence, have shown willingness to exploit newly disclosed vulnerabilities within days of patch publication.
SQL injection in S/4HANA’s search layer is a less obvious entry point than a remote service, but post-exploitation access to HANA database content at full privilege represents a catastrophic data exposure for any SAP customer. Under GDPR, a breach of this scope triggers 72-hour notification obligations.
Recommended Actions
- Immediate: Apply SAP Note 3733064 (Commerce Cloud) to all internet-accessible instances. This is unauthenticated RCE with no authentication barrier — it cannot wait for a scheduled maintenance window.
- Within 48 hours: Apply Note 3733041 (S/4HANA Enterprise Search). Audit which business users have access to Enterprise Search and consider disabling the feature if patching is delayed.
- Assess exposure: Identify all SAP Commerce Cloud instances and confirm whether they are internet-facing or behind authentication proxies. Document the exposure window for regulatory reporting purposes.
- Subscribe to SAP Security Notes: Ensure your SAP Basis team receives alerts for critical security notes — SAP’s patch cadence is monthly but out-of-band patches can be released for actively exploited issues.
Share this article