Home/ Blog/ Security news/ Article
Blog · Security news

SAP's highest-scored July flaw is not the one to patch first

SAP's July 2026 patch day has three criticals. The top-scored 9.9 NetWeaver bug needs a login; the two pre-auth 9.1s in AppRouter and Commerce Cloud go first.

Three stone monoliths of differing heights on a plain with a winding path

SAP shipped 16 fixes on its July 2026 patch day, and three are rated critical. Ranked by CVSS, the worst is a 9.9 in NetWeaver Application Server ABAP. Ranked by how fast an outside attacker can reach it, that 9.9 comes last, because it needs a valid login. The two flaws scored a notch lower, 9.1 each, do not: one lets an unauthenticated request smuggle its way through SAP AppRouter, and the other hands a stranger a working access token because a sample credential shipped in Commerce Cloud was never removed. Triage this batch by score and you patch it in the wrong order.

None of the three are being exploited yet, according to SAP. That is the state today, not a promise for next week, and SAP NetWeaver has a history that argues for moving quickly. More on that below.

The three criticals, ranked by exposure instead of score

Here is the batch that matters, ordered the way a defender should work it: most reachable first. Every number in the table is also stated in the prose that follows.

CVEProductCVSSNeeds login?First action
CVE-2026-44761Commerce Cloud9.1NoRemove the sample OAuth2 client, rotate its secret
CVE-2026-27690AppRouter9.1NoUpdate the Node.js package to 20.10.0 or later
CVE-2026-44747NetWeaver AS ABAP9.9YesPatch the ABAP Kernel (SAP note 3747367)
Source: SAP July 2026 Security Patch Day notes, as reported by BleepingComputer, SecurityWeek, and Onapsis.

CVE-2026-44761 (Commerce Cloud, CVSS 9.1) is the fastest to weaponize because there is nothing to write. SAP ships a sample OAuth2 client with public, default credentials. If that client was left in a production storefront, an unauthenticated attacker can present those known credentials and receive a valid access token, then read and change data through the APIs. SAP's note says customers who removed the sample client or replaced its secret are not affected. That is the tell: this is a configuration you own, not a code bug you wait on a vendor to fix.

CVE-2026-27690 (AppRouter, CVSS 9.1) is an HTTP request-smuggling flaw, and it is exploitable without authentication. A crafted request causes request-response desynchronization, which an attacker uses to slip a second request past the front end's view of the traffic or to force a denial of service. It affects non-Cloud Foundry AppRouter deployments, and the fix is a version bump of the underlying Node.js package to 20.10.0 or later.

CVE-2026-44747 (NetWeaver AS ABAP, CVSS 9.9) carries the top score and is the last of the three to reach. It is a memory-corruption bug, an out-of-bounds write, that an authenticated attacker can drive to unauthorized data access, modification, or a downed system. The fix is a patched ABAP Kernel, delivered in SAP note 3747367, across kernel versions from 7.22 through 9.20. The interim mitigation, disabling the affected ICF nodes, also disables SAP GUI for HTML, so it is a tradeoff, not a free workaround.

Two of the three live outside what your Basis team calls SAP patching

The NetWeaver kernel fix is the one an SAP Basis team expects: schedule a kernel update, take the window, done. The other two are not in that muscle memory. CVE-2026-27690 is a Node.js dependency version, so it belongs to whoever owns software composition for AppRouter, and a shop that only tracks ABAP Support Package Stack levels will not see it. CVE-2026-44761 is not a patch at all in the usual sense. It is an artifact left in the environment. A team that reads July patch day as apply the kernel notes closes one of the three holes and leaves the two unauthenticated ones open.

The default credential is one you shipped, so a patch alone will not keep it closed

The Commerce Cloud flaw is worth a second look because of how it recurs. Removing the sample OAuth2 client or rotating its secret fixes it today. But the sample client can come back: a later environment refresh, a restored template, a lower environment copied and promoted to production, and the default credential is live again with no CVE to remind anyone. This is configuration drift, and the durable control is not the one-time note. It is continuous checking that the sample client and its default secret are absent from every production tenant, the kind of ongoing vulnerability detection that watches state rather than trusting a checklist. We made the same point about a password printed in source code with Central Dogma, and about leftover OAuth trust in the Salesforce connected-app breach: the credential you never rotate is the one that gets used.

How you would know before you patch

Patching closes the hole. It does not tell you whether someone walked through it first, and for the two unauthenticated flaws that window is the part worth instrumenting. For AppRouter, the signal sits at the edge: request-response desync tends to leave marks such as duplicated or conflicting Content-Length and Transfer-Encoding headers and responses that do not line up with the requests that should have produced them. For Commerce Cloud, the signal is an access token issued to the sample OAuth client id, which should never appear in a hardened production tenant. If your logs can answer whether the sample client minted a token this month, you can tell exploitation from a clean patch.

SAP's exposure is wide by definition. Its software runs the back office of most of the world's largest companies, and enterprise application suites are a standing target: Oracle E-Business Suite was under active attack earlier this quarter. That scale is why the exploitation status here is worth watching rather than trusting. CISA has added 14 SAP flaws to its Known Exploited Vulnerabilities catalog since November 2021, and earlier this year a vendor call that a SharePoint bug was unlikely to be exploited was overturned by CISA within weeks. Not exploited yet describes today. The two pre-auth, internet-facing flaws in this batch are the plausible next entries.

Pull the sample OAuth client today, then book the kernel window

Order the work by reach. First, confirm the Commerce Cloud sample OAuth2 client is gone from every production tenant and its secret is rotated, because that one needs no exploit and no downtime. Second, update the AppRouter Node.js package to 20.10.0 or later on any non-Cloud Foundry deployment. Third, schedule the NetWeaver ABAP Kernel patch in note 3747367; if you cannot take the window immediately, weigh the ICF-node mitigation against losing SAP GUI for HTML. The 9.9 gets the headline. The 9.1s get exploited first.

Topics

Frequently asked questions

Which SAP July 2026 flaw should I patch first?

Patch the two unauthenticated 9.1s before the 9.9. Remove the Commerce Cloud sample OAuth2 client (CVE-2026-44761), which needs no exploit, then update AppRouter's Node.js package to 20.10.0 (CVE-2026-27690). The 9.9 NetWeaver kernel bug requires a login, so it is less reachable.

Are the SAP July 2026 vulnerabilities being exploited?

No. As of publication SAP reports no evidence that the July flaws are being exploited. That is the current state, not a guarantee. CISA has added 14 SAP flaws to its Known Exploited Vulnerabilities catalog since November 2021, so the window can close fast.

What is CVE-2026-44761 in SAP Commerce Cloud?

CVE-2026-44761 is a default-credential flaw scored CVSS 9.1. SAP ships a sample OAuth2 client with public credentials, and if it is left in production an unauthenticated attacker can use it to obtain a valid access token and read or modify data through the APIs.

How do I fix the SAP AppRouter request-smuggling flaw?

Update AppRouter's underlying Node.js package to version 20.10.0 or later. CVE-2026-27690 is an unauthenticated HTTP request-smuggling bug that causes request-response desynchronization. It affects non-Cloud Foundry AppRouter deployments and is rated CVSS 9.1.

Does patching the NetWeaver kernel flaw need downtime?

The permanent fix for CVE-2026-44747 is a patched ABAP Kernel from SAP note 3747367, which needs a maintenance window. The interim mitigation, disabling the affected ICF nodes, also disables SAP GUI for HTML, so treat it as a tradeoff rather than a free workaround.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.