SAP shipped 16 fixes on its July 2026 patch day, and three are rated critical. Ranked by CVSS, the worst is a 9.9 in NetWeaver Application Server ABAP. Ranked by how fast an outside attacker can reach it, that 9.9 comes last, because it needs a valid login. The two flaws scored a notch lower, 9.1 each, do not: one lets an unauthenticated request smuggle its way through SAP AppRouter, and the other hands a stranger a working access token because a sample credential shipped in Commerce Cloud was never removed. Triage this batch by score and you patch it in the wrong order.
None of the three are being exploited yet, according to SAP. That is the state today, not a promise for next week, and SAP NetWeaver has a history that argues for moving quickly. More on that below.
The three criticals, ranked by exposure instead of score
Here is the batch that matters, ordered the way a defender should work it: most reachable first. Every number in the table is also stated in the prose that follows.
| CVE | Product | CVSS | Needs login? | First action |
|---|---|---|---|---|
| CVE-2026-44761 | Commerce Cloud | 9.1 | No | Remove the sample OAuth2 client, rotate its secret |
| CVE-2026-27690 | AppRouter | 9.1 | No | Update the Node.js package to 20.10.0 or later |
| CVE-2026-44747 | NetWeaver AS ABAP | 9.9 | Yes | Patch the ABAP Kernel (SAP note 3747367) |
CVE-2026-44761 (Commerce Cloud, CVSS 9.1) is the fastest to weaponize because there is nothing to write. SAP ships a sample OAuth2 client with public, default credentials. If that client was left in a production storefront, an unauthenticated attacker can present those known credentials and receive a valid access token, then read and change data through the APIs. SAP's note says customers who removed the sample client or replaced its secret are not affected. That is the tell: this is a configuration you own, not a code bug you wait on a vendor to fix.
CVE-2026-27690 (AppRouter, CVSS 9.1) is an HTTP request-smuggling flaw, and it is exploitable without authentication. A crafted request causes request-response desynchronization, which an attacker uses to slip a second request past the front end's view of the traffic or to force a denial of service. It affects non-Cloud Foundry AppRouter deployments, and the fix is a version bump of the underlying Node.js package to 20.10.0 or later.
CVE-2026-44747 (NetWeaver AS ABAP, CVSS 9.9) carries the top score and is the last of the three to reach. It is a memory-corruption bug, an out-of-bounds write, that an authenticated attacker can drive to unauthorized data access, modification, or a downed system. The fix is a patched ABAP Kernel, delivered in SAP note 3747367, across kernel versions from 7.22 through 9.20. The interim mitigation, disabling the affected ICF nodes, also disables SAP GUI for HTML, so it is a tradeoff, not a free workaround.
Two of the three live outside what your Basis team calls SAP patching
The NetWeaver kernel fix is the one an SAP Basis team expects: schedule a kernel update, take the window, done. The other two are not in that muscle memory. CVE-2026-27690 is a Node.js dependency version, so it belongs to whoever owns software composition for AppRouter, and a shop that only tracks ABAP Support Package Stack levels will not see it. CVE-2026-44761 is not a patch at all in the usual sense. It is an artifact left in the environment. A team that reads July patch day as apply the kernel notes closes one of the three holes and leaves the two unauthenticated ones open.
The default credential is one you shipped, so a patch alone will not keep it closed
The Commerce Cloud flaw is worth a second look because of how it recurs. Removing the sample OAuth2 client or rotating its secret fixes it today. But the sample client can come back: a later environment refresh, a restored template, a lower environment copied and promoted to production, and the default credential is live again with no CVE to remind anyone. This is configuration drift, and the durable control is not the one-time note. It is continuous checking that the sample client and its default secret are absent from every production tenant, the kind of ongoing vulnerability detection that watches state rather than trusting a checklist. We made the same point about a password printed in source code with Central Dogma, and about leftover OAuth trust in the Salesforce connected-app breach: the credential you never rotate is the one that gets used.
How you would know before you patch
Patching closes the hole. It does not tell you whether someone walked through it first, and for the two unauthenticated flaws that window is the part worth instrumenting. For AppRouter, the signal sits at the edge: request-response desync tends to leave marks such as duplicated or conflicting Content-Length and Transfer-Encoding headers and responses that do not line up with the requests that should have produced them. For Commerce Cloud, the signal is an access token issued to the sample OAuth client id, which should never appear in a hardened production tenant. If your logs can answer whether the sample client minted a token this month, you can tell exploitation from a clean patch.
SAP's exposure is wide by definition. Its software runs the back office of most of the world's largest companies, and enterprise application suites are a standing target: Oracle E-Business Suite was under active attack earlier this quarter. That scale is why the exploitation status here is worth watching rather than trusting. CISA has added 14 SAP flaws to its Known Exploited Vulnerabilities catalog since November 2021, and earlier this year a vendor call that a SharePoint bug was unlikely to be exploited was overturned by CISA within weeks. Not exploited yet describes today. The two pre-auth, internet-facing flaws in this batch are the plausible next entries.
Pull the sample OAuth client today, then book the kernel window
Order the work by reach. First, confirm the Commerce Cloud sample OAuth2 client is gone from every production tenant and its secret is rotated, because that one needs no exploit and no downtime. Second, update the AppRouter Node.js package to 20.10.0 or later on any non-Cloud Foundry deployment. Third, schedule the NetWeaver ABAP Kernel patch in note 3747367; if you cannot take the window immediately, weigh the ICF-node mitigation against losing SAP GUI for HTML. The 9.9 gets the headline. The 9.1s get exploited first.