SAP patches NetWeaver ABAP memory corruption (CVE-2026-44747, CVSS 9.9)
SAP's July 14 Patch Day ships 16 notes: a NetWeaver ABAP memory-corruption bug at CVSS 9.9, an Approuter request-smuggling flaw and Commerce Cloud default credentials both at 9.1.
SAP's July 2026 Security Patch Day landed on Tuesday, 14 July 2026, with 16 new security notes, one GitHub security advisory, and three updates to previously released notes. Four HotNews notes and six High Priority notes make the cut. The most severe fix is a memory-corruption bug in the NetWeaver Application Server ABAP kernel scored CVSS 9.9; an HTTP request-smuggling flaw in SAP Approuter and default sample credentials in SAP Commerce Cloud both score 9.1. SAP has not reported active exploitation for any of the July notes at press time.
CVE-2026-44747 — NetWeaver ABAP kernel memory corruption
The lead HotNews note (SAP Security Note 3747367) tracks CVE-2026-44747 — a memory-corruption issue in SAP NetWeaver Application Server ABAP. CVSS v3.1 is 9.9 (Critical); the weakness class is CWE-787 (out-of-bounds write). Vendor reporting from SecurityWeek and BleepingComputer both attribute the discovery to the Onapsis Research Labs, who co-authored four of this month's notes with SAP.
Affected kernel releases per the note: KRNL64NUC 7.22, 7.22EXT; KRNL64UC 7.22; KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, 9.20. Successful exploitation, according to Onapsis's own write-up, allows an authenticated attacker to trigger logical errors in kernel memory management and pivot to unauthorised data access, modification, or a service crash — with scope change, so a compromised component can reach beyond its own security boundary.
CVE-2026-27690 — Approuter HTTP request smuggling (CVSS 9.1)
CVE-2026-27690 is an HTTP request-smuggling bug in the SAP Approuter Node.js package prior to 20.10.0. Approuter is the entry-point router that fronts SAP BTP and Cloud Foundry application landscapes, brokering incoming HTTP to backend microservices. A smuggling primitive at that seam is what you would expect to see chained against authentication middleware or downstream caches. Fixed in @sap/approuter 20.10.0.
CVE-2026-44761 — Commerce Cloud sample credentials (CVSS 9.1)
CVE-2026-44761 covers insecure default credentials shipped in HY_COM 2205, COM_CLOUD 2211 and 2211-JDK21. An attacker who reaches the exposed APIs with the default token gets valid read/write against the store's data.
Also in the release
Onapsis's public breakdown lists these additional high-severity items:
- CVE-2026-58233 (CVSS 7.6) — RCE in the Change and Transport System Attach Tool.
- CVE-2026-40860, CVE-2026-40453, CVE-2026-33454 (CVSS 8.8, 8.5, 7.7) — multiple Apache Camel vulnerabilities in SAP Integration Suite (Edge Integration Cell), bundled via SAP Note 3758101.
- CVE-2026-43512, CVE-2026-41293, CVE-2026-43515 (CVSS 8.1, 8.1, 7.4) — Apache Tomcat vulnerabilities in SAP Commerce Cloud, SAP Note 3763800.
- CVE-2026-0487 (CVSS 8.4) — DLL hijacking in SAProuter on Windows.
Exploitation status
SAP's advisory and both major secondary write-ups (SecurityWeek, BleepingComputer) report no known in-the-wild exploitation for the July notes as of publication. No public PoC exists for CVE-2026-44747, CVE-2026-27690, or CVE-2026-44761 at press time. No detection artefacts — IOCs, YARA, or Sigma — have been published by SAP or Onapsis. If any land, we will update.
Action checklist
- Apply SAP Note 3747367 to the ABAP kernel matching your release. Kernel patches take an SAP system restart; schedule the maintenance window today and validate the compatibility of the kernel level against your enhancement pack.
- Upgrade @sap/approuter to 20.10.0 or later wherever an Approuter is exposed to the internet or fronting BTP subaccounts. Rebuild container images pinned to older node modules — a stale base layer will re-introduce the vulnerable version silently.
- Rotate the Commerce Cloud API tokens referenced by the affected HY_COM 2205 / COM_CLOUD 2211 releases. Treat the default credentials as leaked in every environment that ever booted with them, including staging.
- Front-load the Apache Camel and Tomcat bundle notes — 3758101 and 3763800 — if you run SAP Integration Suite Edge Integration Cell or Commerce Cloud. They are third-party components you already own the risk of; the SAP note is the shipping vehicle.
- NIS2 traceability. Log SAP Notes 3747367, 3758101, 3763800 in your regulated remediation tracker with today's patch-availability date. The next monthly SAP Security Patch Day lands on 12 August 2026.
Context
This is the second consecutive SAP Patch Day carrying a CVSS 9.9+ HotNews for ABAP: the June 2026 set shipped critical fixes for NetWeaver and Commerce Cloud in the same posture — vendor-flagged, no confirmed exploitation, patched inside the monthly cadence. The ABAP kernel has quietly become one of the routine sources of maximum-severity notes across 2025–2026, and the fact that Onapsis Research Labs is once again the credited discoverer on the top note suggests the exposed surface — memory management in the kernel — is being systematically walked, not accidentally found. Defenders running ABAP behind reverse-proxy edges should not use "no PoC yet" as a reason to slip past the standard monthly window.