The June 2026 SAP Security Patch package fixes 15 vulnerabilities, with four critical-severity flaws impacting SAP NetWeaver and SAP Commerce Cloud. CVE-2026-44748 (CVSS 9.9) is an XML Signature Wrapping vulnerability in NetWeaver AS ABAP and ABAP Platform that may allow authentication bypass in SAML-based environments by accepting tampered identity information. CVE-2026-27671 (CVSS 9.8) is a memory corruption vulnerability in NetWeaver/ABAP Platform Application Server ABAP exploitable without authentication via crafted RFC requests. CVE-2026-22732 (CVSS 9.1) affects SAP Commerce Cloud and SAP Data Hub through a Spring Security-related issue. CVE-2026-40128 (CVSS 9.0) is a directory traversal vulnerability in NetWeaver Application Server Java's Web Container. Additional high-severity and other vulnerabilities were also addressed. SAP restricts detailed mitigation information to customers with security portal access.

The critical vulnerabilities could allow attackers to bypass authentication mechanisms, gain unauthorized access to sensitive user data, cause memory corruption without authentication, and perform directory traversal attacks. These impacts could lead to unauthorized system access, data exposure, and potential disruption of normal business operations in enterprise environments using SAP NetWeaver and Commerce Cloud platforms.

SAP has released official patches for these vulnerabilities as part of its June 2026 Security Patch package. Organizations using affected SAP products should prioritize applying these patches promptly. Detailed remediation instructions and workarounds are available exclusively to SAP customers through the SAP security portal. Patch status is confirmed as fixed by SAP's official security bulletin.