SAP Security Patch Day - April 2026

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.

On 14th of April 2026, SAP security patch day saw the release of 19 new security notes. There is 1 update to previously released security note.

Note#

Title

Priority

CVSS

3719353

[CVE-2026-27681SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

Product - SAP Business Planning and Consolidation and SAP Business Warehouse
Version(s) - HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816

Critical

9.9

3731908

[CVE-2026-34256Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Product - SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
Version(s) - SAP_FIN 618, 720, 730, EA-FIN 617, 700, SAPSCORE 135, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606

High

7.1

3696239

[CVE-2025-64775Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

6.5

3680767

[CVE-2026-34264Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA

Product - SAP Human Capital Management for SAP S/4HANA
Version(s) - S4HCMRXX 100, 101, 102, SAP_HRRXX 600, 604, 608

Medium

6.5

3705094

[CVE-2026-34261Missing Authorization check in SAP Business Analytics and SAP Content Management

Product - SAP Business Analytics and SAP Content Management
Version(s) - S4HCMRXX 100, 101, 102, SAP_HRRXX 600, 604, 608

Medium

6.5

3715097

[CVE-2026-27677Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment)

Product - SAP S/4HANA OData Service (Manage Reference Equipment)
Version(s) - S4CORE 109

Medium

6.5

3715177

[CVE-2026-27678Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)

Product - SAP S/4HANA Backend OData Service (Manage Reference Structures)
Version(s) - S4CORE 109

Medium

6.5

3716767

[CVE-2026-27679Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)

Product - SAP S/4HANA Frontend OData Service (Manage Reference Structures)
Version(s) - UIS4H 109

Medium

6.5

3645228

[CVE-2026-0512Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)

Product - SAP Supplier Relationship Management (SICF Handler in SRM Catalog)
Version(s) - SRM_SERVER 702, 713, 714

Medium

6.1

3719397

[CVE-2026-27674Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

Product - SAP NetWeaver Application Server Java (Web Dynpro Java)
Version(s) - WD-RUNTIME 7.50

Medium

6.1

3692004

[CVE-2026-34257Open Redirect vulnerability in SAP NetWeaver Application Server ABAP

Product - SAP NetWeaver Application Server ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

6.1

3730639

[CVE-2026-34262Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer

Product - SAP HANA Cockpit and HANA Database Explorer
Version(s) - SAP_HANA_COCKPIT 2.0

Medium

5.0

3703813

[CVE-2026-27673Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise)

Product - SAP S/4HANA (Private Cloud and On-Premise)
Version(s) - S4CORE 105, 106, 107, 108, 109, FI-CA 606, 616, 617, 618

Medium

4.9

3703276

[CVE-2026-27672Missing Authorization check in Material Master Application

Product - Material Master Application
Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109, SCM_BASIS 700, SCM_BASIS 701, SCM_BASIS 702, SCM_BASIS 712, SCM_BASIS 713, SCM_BASIS 714

Medium

4.3

3711682

[CVE-2026-27676Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures)

Product - SAP S/4HANA OData Service (Manage Technical Object Structures)
Version(s) - S4CORE 109

Medium

4.3

3530544

Update to Security Note released on November 2025 Patch Day:

[CVE-2025-42899Missing Authorization check in SAP S4CORE (Manage Journal Entries)

Product - SAP S4CORE (Manage Journal Entries)
Version(s) - S4CORE 104, 105, 106, 107, 108

Medium

4.3

3702191

[CVE-2026-24318Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

4.2

3698216

[CVE-2026-27683Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

4.1

3665042

[CVE-2026-27680CSS Injection vulnerability in SAP NetWeaver Application Server ABAP

Product - SAP NetWeaver Application Server ABAP
Version(s) - SAP_UI 758, 816

Low

3.1

3723097

[CVE-2026-27675Code Injection vulnerability in SAP Landscape Transformation

Product - SAP Landscape Transformation
Version(s) - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107, 108, 109

Low

2.0

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.