Cloud Security

SAP NetWeaver Critical Flaws: SAML Spoofing to Kernel RCE

June 14, 2026 · 7 min read · By William

SAP’s June 2026 Security Patch Day shipped four critical vulnerabilities — three scoring above CVSS 9.0 — across NetWeaver AS ABAP, the ABAP Kernel, NetWeaver AS Java, and SAP Commerce Cloud. The worst, CVE-2026-44748 (CVSS 9.9), lets any authenticated user forge SAML identity assertions via XML Signature Wrapping. CVE-2026-27671 (CVSS 9.8) allows unauthenticated remote attackers to corrupt SAP Kernel memory over RFC, opening a path to code execution. Patch now — there are no mitigations short of applying SAP’s notes.

Four Critical CVEs: The Attack Surface

SAP released 15 new security notes and five updates on June 9, 2026, covering 20 total patches. Six carry HotNews priority. Four of those are critical, each targeting a different layer of the SAP stack — authentication, kernel, web container, and commerce platform. The Center for Cybersecurity Belgium (CCB) issued a same-day warning urging immediate patching. No active exploitation has been observed yet.

CVE	CVSS	Component	Attack Vector	Auth
CVE-2026-44748	9.9	NetWeaver AS ABAP — SAML Auth	XML Signature Wrapping	Authenticated
CVE-2026-27671	9.8	SAP Kernel (ABAP)	RFC Memory Corruption	Unauthenticated
CVE-2026-22732	9.1	Commerce Cloud / Data Hub	Spring Security Bypass	Unauthenticated
CVE-2026-40128	9.0	NetWeaver AS Java	Directory Traversal	Unauthenticated

Three of the four require no authentication. That fact alone should move these patches to the top of every SAP administrator’s queue, alongside the wave of CVSS 9+ enterprise CVEs disclosed this month.

CVE-2026-44748: SAML Spoofing at CVSS 9.9

The highest-severity flaw in this batch is an XML Signature Wrapping vulnerability in SAML authentication within SAP NetWeaver AS ABAP and the ABAP Platform. Tracked under CVE-2026-44748 and patched in SAP Security Note 3746332, it allows an authenticated attacker holding normal privileges to capture a legitimately signed SAML message, modify its XML structure, and resubmit it to the verifier.

Because the signature verification logic does not properly bind the signed content to the document root, the modified payload — carrying tampered identity assertions — gets accepted. The attacker can escalate privileges, impersonate other users, and access data their account should never reach. Impact spans confidentiality, integrity, and availability, all rated High in the CVSS vector (source: CCB Belgium).

The vulnerability was reported by Onapsis Research Labs, which co-discovered six of the 15 new notes in this patch cycle, including two tagged HotNews. CWE-347 (Improper Verification of Cryptographic Signature) classifies the root cause. A public proof-of-concept has already appeared on GitHub, raising the likelihood of weaponization before organizations finish patching.

CVE-2026-27671: Unauthenticated Kernel RCE Path

If the SAML flaw is the headline, CVE-2026-27671 is the one that should keep SOC teams awake. Scoring CVSS 9.8, this memory corruption vulnerability lives in the SAP Kernel that powers Application Server ABAP. The trigger is improper validation of the RFC (Remote Function Call) protocol — the backbone of inter-system SAP communication.

An unauthenticated attacker who can reach the RFC listener sends a crafted protocol request that corrupts kernel memory. According to the CVE record and SAP’s own advisory, the outcome can range from application crash to unauthorized data access to arbitrary code execution. That last option means full system compromise of the SAP application server — the ERP backbone — without any credentials.

RFC listeners are often exposed on internal networks between SAP instances, message servers, and dispatchers. In hybrid or cloud-hosted SAP deployments where network segmentation is inconsistent, an attacker who gains a foothold on any adjacent host can pivot to the application server through this channel. The SAP Security Patch Day page lists the affected kernel versions and required updates.

Commerce Cloud and Java Weaknesses

The remaining two criticals widen the blast radius beyond core ERP.

CVE-2026-22732 (CVSS 9.1) targets SAP Commerce Cloud and SAP Data Hub running ENGINEAPI 7.50. The flaw stems from a Spring Security vulnerability that allows unauthenticated remote attackers to compromise confidentiality and integrity without any user interaction. SAP Commerce Cloud is a managed SaaS platform — meaning SAP applies patches on its side, but customers running Data Hub on-premise or in private cloud must patch manually.

CVE-2026-40128 (CVSS 9.0) is a directory traversal in SAP NetWeaver Application Server Java’s web container. An unauthenticated attacker sends crafted HTTP logon requests that escape the intended directory structure, enabling file reads, modifications, or application crashes. Per the CCB advisory, the attacker needs only network reachability to the Java stack — no credentials, no user interaction.

Impact on Cloud Security Teams

These vulnerabilities land at a time when SAP systems are increasingly internet-facing. RISE with SAP migrations, S/4HANA cloud adoptions, and BTP integrations have eroded the network perimeter that once protected ERP infrastructure. The assumption that “RFC is internal-only” no longer holds in architectures where SAP instances communicate across VPCs, availability zones, or even third-party hosting.

Consider the attack chain: CVE-2026-27671 gives an unauthenticated foothold via RFC. CVE-2026-44748 then lets a low-privilege authenticated user forge SAML assertions to escalate across integrated systems. CVE-2026-40128 opens the Java web tier for file enumeration. Chained together, these flaws provide a path from perimeter foothold to privileged ERP data access — the same class of enterprise application zero-day that ShinyHunters recently exploited in Oracle PeopleSoft to breach global organizations.

SecurityBridge, which independently tracks SAP patch releases, confirmed the same count of 15 new notes. ERP Today noted that the patching process for Commerce Cloud and Data Hub may require comprehensive validation, emphasizing the need for efficient patch pipelines to avoid disrupting customer-facing commerce services (source: ERP Today).

Remediation Checklist for SAP Administrators

Apply SAP Note 3746332 immediately for CVE-2026-44748. This patches the SAML XML Signature Wrapping flaw. Verify that your SAML configuration validates signature placement against the document root after patching.
Update the ABAP Kernel to the version specified in the note for CVE-2026-27671. Do not rely on firewall rules alone — RFC traffic between SAP instances must traverse the fix.
Patch NetWeaver AS Java for CVE-2026-40128. If the Java web container is internet-exposed, treat this as a race against public PoC development.
Verify Commerce Cloud patch status for CVE-2026-22732. SaaS customers should confirm SAP has applied the update; on-premise Data Hub deployments need manual intervention.
Audit RFC exposure. Map every RFC listener across your SAP landscape. Restrict RFC ports to the minimum necessary host pairs. If RFC is reachable from general corporate VLANs, close that gap now.
Review SAML trust relationships. If your SAP system federates with external identity providers, an attacker who exploits CVE-2026-44748 on one system can forge assertions accepted by others. Rotate SAML signing keys after patching.
Monitor for exploitation signals. Watch for anomalous RFC connection attempts, unexpected SAML assertions in audit logs, and HTTP requests with traversal patterns targeting the Java web container.

The Cyber Security Agency of Singapore and CCB Belgium both flagged this patch cycle as high priority. With a public PoC already on GitHub and three unauthenticated attack paths, the window before active exploitation is measured in days, not weeks.