SAP Patches CVSS 9.9 SQL Injection in January Update

SAP released 17 security notes on January 13, 2026, including four rated HotNews—SAP's designation for vulnerabilities carrying CVSS scores of 9.0 or higher. The most severe, CVE-2026-0501, is a SQL injection flaw in S/4HANA's General Ledger module that scores 9.9 and could allow authenticated users with minimal privileges to extract or modify financial data.

Organizations running SAP S/4HANA Private Cloud and On-Premise deployments should treat this as an emergency patching priority. The vulnerability affects core financial processing functionality.

TL;DR

• What happened: SAP's January 2026 Security Patch Day addresses 17 vulnerabilities across multiple products
• Who's affected: S/4HANA, HANA database, NetWeaver, Wily Introscope administrators
• Severity: Four critical (CVSS 9.0+), four high (CVSS 8.0+), nine medium/low
• Action required: Apply security notes immediately, prioritizing HotNews vulnerabilities

What Makes CVE-2026-0501 So Dangerous?

The SQL injection vulnerability exists in SAP S/4HANA's Financials General Ledger module. Authenticated users—even those with low-privilege accounts—can execute arbitrary SQL queries against backend databases. The vulnerability scores 9.9 because successful exploitation grants attackers complete access to financial data: reading, modifying, or deleting records at will.

The attack requires authentication but not elevated privileges. Any valid user account provides enough access to launch exploitation attempts. In environments where contractors, partners, or large employee populations have basic SAP access, the attack surface expands considerably.

SAP's advisory notes "cross-scope impact on confidentiality, integrity, and availability of financial data." Translation: attackers can steal sensitive financial records, manipulate ledger entries, or corrupt databases entirely.

Additional Critical Vulnerabilities

Three other vulnerabilities reached HotNews severity:

CVE-2026-0500 (CVSS 9.6) affects SAP Wily Introscope Enterprise Manager's WorkStation component. Unauthenticated remote attackers can execute arbitrary code, though exploitation requires tricking a user into interacting with malicious content. Organizations using Introscope for application performance monitoring face remote code execution risk on monitoring infrastructure.

CVE-2026-0498 (CVSS 9.1) enables code injection in S/4HANA Private Cloud and On-Premise installations. This flaw requires high-privilege access but delivers cross-scope impact once exploited—attackers who already hold administrative access can escalate to complete system control.

CVE-2026-0491 (CVSS 9.1) presents similar code injection risks in SAP Landscape Transformation, affecting DMIS versions from 2011_1_700 through 2020.

High-Priority Fixes

Beyond the critical issues, four high-severity vulnerabilities demand prompt attention:

CVE-2026-0492 (CVSS 8.8) in SAP HANA database allows privilege escalation. An attacker with valid credentials for any user account can switch to another user, potentially gaining administrative access. Database administrators should prioritize this patch—successful exploitation grants complete database control.

CVE-2026-0507 (CVSS 8.4) affects SAP Application Server for ABAP and NetWeaver RFCSDK with an operating system command injection vulnerability. Attackers can inject commands that execute on the underlying server.

CVE-2026-0506 (CVSS 8.1) addresses missing authorization checks in NetWeaver ABAP Platform.

CVE-2026-0511 (CVSS 8.1) fixes an authorization bypass in SAP Fiori's Intercompany Balance Reconciliation app.

Why This Matters

SAP systems underpin financial operations at thousands of large enterprises. A SQL injection vulnerability in General Ledger modules presents obvious concerns for organizations bound by SOX compliance, financial reporting requirements, or simply dependent on accurate accounting data.

The combination of low access requirements and maximum impact makes CVE-2026-0501 an attractive target. Attackers who obtain any valid SAP credential—through phishing, credential stuffing, or purchasing stolen credentials—gain everything needed for exploitation.

SAP Patch Day vulnerabilities historically attract attention from both criminal groups and advanced persistent threat actors. Organizations should assume exploitation attempts will follow shortly.

Recommended Actions

1. Review affected systems - Identify all S/4HANA, HANA database, NetWeaver, and Introscope installations in your environment
2. Prioritize HotNews vulnerabilities - Apply patches for CVE-2026-0501, CVE-2026-0500, CVE-2026-0498, and CVE-2026-0491 within 24-48 hours
3. Address high-priority issues - Schedule patching for CVE-2026-0492, CVE-2026-0507, CVE-2026-0506, and CVE-2026-0511 within one week
4. Audit user access - Review who holds SAP access credentials, particularly for S/4HANA financial modules
5. Enable database monitoring - Ensure logging captures unusual SQL queries or cross-user privilege switches

Organizations unable to patch immediately should implement compensating controls including enhanced monitoring, network segmentation of SAP systems, and temporary restriction of S/4HANA access to essential personnel only.