SAP Patches Critical ABAP Vulnerability

SAP’s monthly security‑patch day is a cornerstone of its risk‑management strategy, delivering dozens of fixes that protect the enterprise‑resource‑planning (ERP) ecosystem. On April 14, 2026, the company released 20 new or updated security notes, including two high‑severity CVEs that target core ABAP‑based applications. The most alarming, CVE‑2026‑27681, carries a CVSS 9.9 rating and resides in Business Planning and Consolidation (BPC) and Business Warehouse (BW). By publishing the notes promptly, SAP gives customers a clear migration path before attackers can weaponize the flaws.

CVE‑2026‑27681 exploits a low‑privileged upload function, allowing an attacker to inject arbitrary SQL statements that execute directly against the BW/BPC database. In practice, this could let a malicious insider read confidential financial data, alter consolidation figures, or even delete critical tables, jeopardizing reporting integrity and regulatory compliance. Onapsis confirmed that SAP mitigated the bug by deactivating the vulnerable executable code, but the fix requires immediate application of the security note across all affected landscapes. Organizations that delay risk exposure to data tampering, financial misstatement, and operational disruption.

The second critical flaw, CVE‑2026‑34256, removes an authorization check in ERP and S/4 HANA, enabling arbitrary ABAP program execution and potential rewrite of eight‑character executable objects. Combined with 16 medium‑severity notes covering XSS, DoS, and information‑disclosure bugs, the patch day underscores a broader trend of sophisticated supply‑chain attacks on SAP’s extensive product suite. Enterprises should adopt a layered defense—regular patching, strict least‑privilege policies, and continuous monitoring of ABAP activity—to reduce attack surface. Proactive compliance not only safeguards data but also preserves trust with investors and regulators.