SAP's July Patch Day: three criticals, worst is 9.9
SAP's July 2026 Security Patch Day fixes 16 flaws — three rated critical, worst a CVSS 9.9 memory-corruption bug in NetWeaver ABAP. No known exploitation yet.
SAP shipped its July 2026 Security Patch Day on 2026-07-14 — sixteen notes in total, three of them critical, six high, seven medium, one low, per BleepingComputer’s summary of the release. NVD carries base scores for the three criticals; the vendor’s own note IDs sit behind SAP’s authenticated Support Portal, as they always do.
The three:
- CVE-2026-44747 — NetWeaver Application Server ABAP, memory corruption via logical errors in memory management, NVD 9.9. Authenticated. High impact across confidentiality, integrity, and availability.
- CVE-2026-27690 — AppRouter (the Node.js middleware that fronts Business Technology Platform tenants), HTTP request smuggling, NVD 9.1. Unauthenticated. A crafted request desynchronizes the request-response pipeline, exposing other users’ responses and knocking the service offline.
- CVE-2026-44761 — Commerce Cloud, default-credentials, NVD 9.1. Unauthenticated. A sample OAuth2 client with credentials documented publicly in the SAP Help Portal was retained in shipped Commerce Cloud tenants, so anyone who read the docs could obtain a valid access token against a tenant that left the sample in place.
None of the three are reported as exploited in the wild at time of writing, per BleepingComputer’s summary of SAP’s own note. That is worth registering carefully: not-yet-exploited on a patch day is a temporary observation, not a durable property, and the AppRouter one — unauthenticated, network-reachable, sitting on the internet-facing edge of BTP — is the one that tends not to stay that way for long once the note has been read.
The pattern under the three
The individual bugs are worth reading their NVD entries and the linked notes for. What is worth reading the shape of the three together for is the pattern.
A memory-corruption flaw in ABAP is the kind of finding that would not have looked out of place in an SAP security note ten years ago, or twenty. ABAP is old enough to remember when memory management on the ABAP application server was itself considered a solved problem, and yet here in 2026 is a 9.9-scored logical error in exactly that layer, requiring only an authenticated session to reach. NetWeaver’s install base is largely the same enterprise mainframe substrate that has been sitting quietly under global commerce for decades; a bug in that substrate is not exciting in the way a new zero-day dropper is exciting, but it is the sort of finding that will still be present in some fraction of tenants three years from now because it lives in the software that nobody’s team ever gets time to patch on cadence.
The Commerce Cloud one is the older pattern. A sample credential, published in documentation, honored by a real production service unless a deploying team read the note about changing it. That is not a class of bug you fix on the vendor side by removing the sample from a doc — it is a class of bug you fix on the vendor side by refusing to ship the sample in the first place, and it recurs across products and decades because there is always a next vendor who will not learn that lesson until it lands as a CVE. Nine-point-one is what NVD scored the deployment, not the credential.
The AppRouter one is more contemporary. HTTP request smuggling as a class was raised into the top of the security-conference stack in 2019 and has been chased around every Node HTTP parser and every reverse proxy in the years since. That the fresh 9.1 landed in AppRouter’s own code rather than in a Node core parser mismatch suggests the specific hazard here is in SAP’s own middleware — which is where custom middleware always ends up being the harder ground to defend, because the upstream fixes do not automatically flow through.
What to actually do
Three notes to apply from SAP’s July release. In practical patching order, from an internet-facing operations perspective:
- AppRouter first. The AppRouter fix (CVE-2026-27690) is the one that closes an unauthenticated hazard on the edge of a BTP tenant. If you have BTP tenants exposed to the public internet — and if you have BTP, you generally do — apply the July note that references this CVE before the other two.
- Commerce Cloud second. The Commerce Cloud fix (CVE-2026-44761) removes the shipped sample, but a tenant that provisioned around the sample rather than rotating it needs the credential rotated independently. Applying the note is not sufficient on its own; audit whether the sample client is still enabled and, if it is, rotate.
- NetWeaver ABAP third. The 9.9 sits highest on the CVSS chart but requires an authenticated session, which is not a wall for a determined attacker holding a service-account credential but is a wall for the unauthenticated hazard. Patch it, but the two unauthenticated bugs go first if you are ration-patching.
The 6 high-severity and 7 medium-severity fixes in the same release cover a wider surface across SAP’s product line; SAP’s cumulative note list is the definitive reference and lives on the Security Patch Day landing page for authenticated customers.
Related coverage
- PTC Windchill PDMLink & FlexPLM unauthenticated RCE — the first-ever PTC entry on CISA KEV — same shape of enterprise-substrate bug, further along the KEV lifecycle.
- CISA warns of actively exploited RCE flaws in Joomla extensions — the counterpart from earlier in the week: unauthenticated, exploited, KEV.
Sourcing
- BleepingComputer. SAP warns of critical flaws in NetWeaver and Commerce Cloud, 2026-07-14.
- NVD entries: CVE-2026-44747, CVE-2026-27690, CVE-2026-44761.
- SAP. Security Patch Day landing page, July 2026 release.
Found this useful? Share it.