SAP’s June 2026 Security Patch Day addresses 21 security notes including CVE-2026-44748, a CVSS 9.9 critical authentication bypass in SAP NetWeaver Application Server ABAP. The vulnerability allows an unauthenticated remote attacker to forge SAML authentication assertions and assume the identity of any user on the system — including the SAP system administrator — without valid credentials.
CVE-2026-44748: SAML Authentication Bypass
CVE-2026-44748 is a validation failure in NetWeaver ABAP’s SAML 2.0 assertion processing code. The vulnerability exists in the component responsible for verifying the signature and validity of incoming SAML assertions during federated authentication flows.
A SAML assertion is an XML document that asserts a user’s identity, issued by an identity provider (IdP) and trusted by the service provider (SP). In a correctly implemented SAML flow, the SP cryptographically verifies the assertion’s signature before accepting the claimed identity. CVE-2026-44748 allows this verification to be bypassed — enabling an attacker to craft a SAML assertion claiming any user identity without possessing the IdP’s private signing key.
Scope of impact: Any SAP NetWeaver ABAP system configured to accept SAML-based authentication. This includes systems federated with Microsoft Entra ID (Azure AD), Okta, PingFederate, and other enterprise identity providers. It does not require an active federated session — the attacker can present a forged assertion without having a valid IdP session.
CVSS 9.9 (Critical): Network attack vector, no privileges required, no user interaction, scope change (from the authentication layer into the ABAP application), critical confidentiality, integrity, and availability impact. The near-perfect CVSS score reflects the reality that authentication bypass at the SAML layer grants complete access to the entire ABAP system with the impersonated user’s permissions.
Additional Critical Vulnerabilities in the June Patch Day
Beyond CVE-2026-44748, the June patch day addresses:
CVE-2026-27671 (CVSS 9.1): SAP NetWeaver Web Dispatcher — HTTP request smuggling allowing request hijacking and privilege escalation in load-balanced SAP landscapes.
CVE-2026-22732 (CVSS 8.8): SAP BusinessObjects Business Intelligence Platform — authenticated RCE via Server-Side Request Forgery in the CMC.
CVE-2026-40128 (CVSS 8.1): SAP Solution Manager — missing authorisation check allowing access to diagnostic and system configuration data without appropriate SAP_SOLMAN authorisation.
Recommended Actions
Apply SAP Security Notes immediately: CVE-2026-44748 is patched by SAP Security Note 3578412. All SAP customers with NetWeaver ABAP systems using SAML authentication should apply this note in the June 2026 patch cycle. SAP recommends treating this as emergency priority.
Identify affected systems: Use ABAP transaction SICF to identify systems with SAML 2.0 service activated. Systems not using SAML authentication are not affected by CVE-2026-44748 — confirm the SAML status of each NetWeaver system before prioritising the patch.
Review SAML logs: SAP Security Note 3578412 includes additional audit logging that can be used to identify whether CVE-2026-44748 was exploited before patching. Review ABAP system logs (SM21) and security audit log (SM20) for unusual authentication events with SAML assertion processing errors or unexpected user impersonations.
Segmentation: SAP NetWeaver systems should not be internet-accessible except through approved gateway and load balancer infrastructure. Internet-facing NetWeaver instances face the highest exploitation risk from CVE-2026-44748.
Context: SAP ERP as a High-Value Target
SAP systems run the core financial, HR, procurement, and manufacturing processes of enterprises across every sector. Administrative access to NetWeaver ABAP — what CVE-2026-44748 provides through SAML bypass — is equivalent to administrative access to the organisation’s core business processes.
CISA’s guidance on SAP security from 2021 (AA21-130A) documented active exploitation of SAP systems by threat actors specifically because of the high-value data and process access they provide. The June 2026 SAML bypass is in the same category — a vulnerability whose exploitation consequence is measured not just in IT impact but in business operations and data exposure.
Share this article