SAP Fixes Critical Vulnerabilities in Commerce Cloud and S/4HANA

Keerthana S May 12, 2026| 04:57 PM Technology

SAP has released its May 2026 security updates, patching 15 vulnerabilities affecting several products, including two critical flaws in SAP Commerce Cloud and S/4HANA. Commerce Cloud, widely used by major retailers and global brands for enterprise e-commerce operations, and S/4HANA, SAP’s next-generation cloud ERP platform, were among the most impacted systems in the latest advisory.

One of the critical issues, tracked as CVE-2026-34263, involves a missing authentication check in SAP Commerce Cloud that could allow attackers to execute malicious code on vulnerable servers without logging in. According to SAP, the flaw stems from an improper Spring Security configuration that enables unauthenticated users to upload malicious configurations and inject code, potentially leading to arbitrary server-side code execution. Successful exploitation could severely impact the confidentiality, integrity, and availability of affected systems.

Figure 1. Commerce Cloud and S/4HANA.

The second critical vulnerability, CVE-2026-34260, affects SAP S/4HANA and allows attackers with low-level privileges to conduct SQL injection attacks. SAP explained that the application improperly concatenates untrusted user input directly into SQL queries without adequate validation or sanitization. Exploiting the flaw could allow attackers to access sensitive database information or disrupt the application, posing significant risks to data confidentiality and system availability. Figure 1 shows commerce cloud and S/4HANA.

Beyond the two critical vulnerabilities, SAP’s May 2026 Patch Day also addressed one high-severity flaw and 11 medium-severity issues. These include vulnerabilities related to command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service conditions.

Although SAP said there is currently no evidence that these newly patched flaws are being actively exploited, the company has faced repeated security challenges in recent years [1]. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 14 SAP-related vulnerabilities to its Known Exploited Vulnerabilities catalog, including flaws previously leveraged in ransomware attacks.

More recently, attackers compromised several official SAP npm packages in a supply-chain attack designed to steal developer credentials and authentication tokens. As one of the world’s largest enterprise software providers, SAP serves 99 of the top 100 global companies and reported more than €36 billion in revenue during fiscal year 2025.

Reference:

  1. https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabilities-in-commerce-cloud-and-s-4hana/
Cite this article:

Keerthana S (2025), SAP Fixes Critical Vulnerabilities in Commerce Cloud and S/4HANA, AnaTechMaz, pp.189

Recent Post

Blog Archive