SAP Security Patch Day April 2026: Critical Vulnerabilities, CVSS 9.9 SQL Injection, and Authorization Risks

SAP’s monthly Security Patch Day is a bellwether for enterprise risk, and the April 2026 release raised the alarm with 19 new notes. The headline CVSS 9.9 SQL injection in Business Planning and Consolidation (BPC) and Business Warehouse (BW) targets an ABAP upload routine that lacks proper authorization checks. An authenticated user can inject malicious SQL, pulling or modifying financial consolidation data that feeds downstream reporting and forecasting. Because BPC and BW sit at the heart of corporate finance, any breach can cascade into inaccurate earnings statements, regulatory non‑compliance, and loss of stakeholder trust.

Equally concerning is the CVSS 7.1 vulnerability in SAP ERP and S/4HANA, where a missing authorization gate permits low‑privilege accounts to execute ABAP programs that overwrite existing executable reports. This can silently disable critical business processes, from order‑to‑cash cycles to supply‑chain analytics, creating operational downtime that is costly to remediate. Security researchers from firms like SecurityBridge and Pathlock highlight that these flaws share a common theme: internal access paths, once considered low‑risk, now serve as high‑impact attack vectors. Organizations must reassess role‑based access controls, enforce least‑privilege principles, and audit custom upload functions to close these gaps.

For ERP leaders, the takeaway is clear: patching alone is insufficient without a broader governance strategy. Rapid deployment of SAP’s fixes should be coupled with continuous monitoring of authorization logs, automated vulnerability scanning, and regular penetration testing of custom code. Investing in tools that map privilege escalations across SAP landscapes can pre‑empt future exploits. As SAP ecosystems become more interconnected, a proactive security posture—anchored in robust access design and swift remediation—will be the differentiator between resilient enterprises and those vulnerable to internal breach scenarios.