SAP released 20 security notes in its April 2026 patch day, including a critical CVE-2026-27681 SQL injection in Business Planning and Consolidation and Business Warehouse that can lead to arbitrary code execution. A separate high-severity missing authorization (CVE-2026-34256) affects ERP and S/4 HANA, and numerous medium- and low-severity fixes across BusinessObjects, NetWeaver, HANA, and other components were also issued; users are urged to apply the notes promptly. #SAP #CVE-2026-27681 #CVE-2026-34256 #BusinessWarehouse
Keypoints
- SAP published 20 security notes for April 2026 covering critical, high, medium, and low-severity issues.
- CVE-2026-27681 is a critical (CVSS 9.9) SQL injection in Business Planning and Consolidation and Business Warehouse that can enable arbitrary SQL and code execution.
- The vulnerable ABAP upload functionality could be abused to run malicious SQL against BW/BPC data stores, risking data theft, report tampering, and database corruption.
- CVE-2026-34256 is a high-severity missing authorization in ERP and S/4 HANA that may allow execution of ABAP programs and rewriting of eight-character executables.
- SAP fixed the critical issue by deactivating the executable code and patched flaws across BusinessObjects, NetWeaver, HANA, S/4HANA and other modules; administrators should apply the security notes immediately.
Read More: https://www.securityweek.com/sap-patches-critical-abap-vulnerability/