Critical Vulnerabilities in SAP NetWeaver, SAP Approuter and SAP Commerce Cloud
15 July 2026
Attackers can exploit critical vulnerabilities in SAP NetWeaver, SAP Approuter and SAP Commerce Cloud to gain unauthorised access, modify data and cause denial of service to affected systems. Patch immediately.
Background
SAP has released security updates to address multiple vulnerabilities (CVE-2026-44747, CVE-2026-27690, and CVE-2026-44761) affecting SAP NetWeaver Application Server (AS) ABAP, SAP Approuter, and SAP Commerce Cloud, as part of SAP's Security Patch Day in July 2026.
These vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of: CVE-2026-44747 at 9.9, CVE-2026-27690 and CVE-2026-44761 at 9.1, out of 10.
Impact
Successful exploitation of these vulnerabilities could lead to the following:
CVE-2026-44747: Due to a memory corruption vulnerability in SAP NetWeaver AS ABAP, an authenticated attacker could leverage logical errors in memory management to gain unauthorised access and modify sensitive data data, or cause the affected system to become unavailable.
CVE-2026-27690: Due to an HTTP request smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send specially crafted HTTP requests to intercept or manipulate user responses to cause a denial of service condition on the affected system.
CVE-2026-44761: Due to the use of default OAuth2 sample credentials in SAP Commerce Cloud, an unauthenticated attacker could use publicly documented credentials to obtain valid access tokens and gain unauthorised read or write access to data via affected cloud APIs.
Affected Products
These vulnerabilities affect the following SAP products and versions:
CVE-2026-44747 (SAP NetWeaver AS ABAP): KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, 9.20
CVE-2026-27690 (SAP Approuter): versions prior to 20.10.0
CVE-2026-44761 (SAP Commerce Cloud): HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21
Mitigation
Users and administrators of affected products are advised to update to the latest versions immediately..
References
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2026.html
https://nvd.nist.gov/vuln/detail/CVE-2026-44747
https://nvd.nist.gov/vuln/detail/CVE-2026-27690
