SAP Patches CVSS 9.6 SQL Injection and RCE Flaws in S/4HANA, Commerce

SAP released its May 2026 Security Patch Day on May 12, addressing 15 vulnerabilities across multiple products including two critical flaws that could allow attackers to execute SQL injection attacks against S/4HANA ERP systems and achieve unauthenticated remote code execution on Commerce Cloud deployments. This follows SAP's January 2026 patch cycle, which also featured critical SQL injection flaws—a recurring weakness in SAP's enterprise software.

Both critical vulnerabilities carry CVSS scores of 9.6, placing them firmly in the "patch immediately" category for enterprises running affected SAP infrastructure.

The Critical Vulnerabilities

CVE-2026-34260: SQL Injection in S/4HANA

CVE-2026-34260 affects the SAP Enterprise Search for ABAP component within S/4HANA. The vulnerability stems from missing input validation and sanitization, allowing authenticated attackers to craft malicious SQL statements and inject them through user-controlled input fields.

The application directly concatenates user input into SQL queries, enabling attackers to execute arbitrary database commands. While exploitation requires authentication, the CVSS 9.6 rating reflects the potential for complete data compromise—attackers could read, modify, or delete business-critical ERP data. This mirrors the pattern seen in the recent LiteLLM SQL injection that was exploited within 36 hours of disclosure—enterprise SQL injection flaws attract rapid weaponization.

SAP S/4HANA serves as the backbone for financial, logistics, and operational processes at thousands of enterprises. Compromised ERP data could enable fraud, disrupt supply chains, or expose sensitive business intelligence.

CVE-2026-34263: Unauthenticated RCE in Commerce Cloud

CVE-2026-34263 targets SAP Commerce Cloud and requires no authentication for exploitation. The flaw results from an overly permissive security configuration with improper rule ordering.

Unauthenticated attackers can upload malicious configurations and inject code that executes server-side. Successful exploitation grants complete control over the Commerce Cloud instance, enabling data theft, service disruption, or use as a pivot point for lateral movement into connected systems.

E-commerce platforms handle payment data, customer PII, and integrate with backend ERP systems—making Commerce Cloud a high-value target for both financially motivated attackers and those seeking initial access to enterprise networks.

Additional Vulnerabilities

Beyond the two critical flaws, SAP's May 2026 security advisory addresses:

• CVE-2026-34259 (High): OS command injection in Forecasting and Replenishment allowing authenticated attackers to execute arbitrary operating system commands
• 11 medium-severity issues across NetWeaver, BusinessObjects, Commerce Cloud, SAPUI5, and other products
• Vulnerability types including cross-site scripting (XSS), cross-site request forgery (CSRF), missing authorization checks, and denial-of-service conditions

Why This Matters

SAP systems represent crown jewels in enterprise IT environments. S/4HANA deployments typically contain years of financial records, customer data, supplier relationships, and operational metrics. A successful SQL injection attack could enable:

• Financial fraud through manipulation of accounting entries
• Supply chain disruption by altering inventory or logistics data
• Corporate espionage via extraction of pricing, cost, and strategic data
• Regulatory violations if attackers access or modify compliance-relevant records

The Commerce Cloud vulnerability carries different risks. Unauthenticated RCE on internet-facing e-commerce infrastructure could enable payment card theft, customer data harvesting, or cryptomining at scale.

Enterprises running hybrid SAP environments should prioritize patching, as attackers increasingly chain web-facing vulnerabilities with internal system flaws. A compromised Commerce Cloud instance could provide the foothold needed to reach S/4HANA backends.

Exploitation Status

SAP has not reported active exploitation of either critical vulnerability. However, the detailed vulnerability descriptions in security advisories often accelerate exploit development—researchers and attackers alike now know exactly which components to examine.

This follows a broader pattern of enterprise software patches being reverse-engineered within days of release. Organizations with lengthy patching cycles face narrowing windows before proof-of-concept exploits emerge.

Recommended Actions

1. Review SAP Security Note 3467XXX series for specific patch guidance and affected versions
2. Prioritize internet-facing Commerce Cloud instances for immediate patching
3. Assess S/4HANA exposure and implement network segmentation where patches cannot be applied immediately
4. Enable enhanced logging on SAP systems to detect potential exploitation attempts
5. Validate web application firewall rules for SQL injection patterns if compensating controls are needed temporarily

Security teams should also review related enterprise vulnerabilities, including the recent Microsoft Dynamics 365 RCE flaw (CVE-2026-42898, CVSS 9.9) patched in last week's Patch Tuesday. Attackers targeting enterprise environments often scan for multiple ERP and CRM vulnerabilities simultaneously.

Organizations dealing with supply chain security concerns may also want to review our coverage of the TanStack npm supply chain compromise, which highlights how software dependencies can introduce risk into enterprise environments.

Frequently Asked Questions

Which SAP products are affected by CVE-2026-34260? The SQL injection vulnerability specifically affects SAP S/4HANA through its SAP Enterprise Search for ABAP component. Check SAP's security notes for specific version ranges.

Does CVE-2026-34263 affect cloud-hosted SAP Commerce? Yes, the vulnerability affects SAP Commerce Cloud deployments. SAP-managed cloud instances should receive patches through SAP's maintenance processes, but organizations should verify with their SAP account teams.

Are there workarounds available? SAP recommends applying the official patches. Temporary mitigations like WAF rules or network restrictions may reduce risk but do not fully address the underlying vulnerabilities.