SAP Security Patch Day - February 2026

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 10th of February 2026, SAP security patch day saw the release of 26 new security notes. Further, there was 1 update to previously released Security Note.

Note#

Title

Priority

CVSS

3697099

[CVE-2026-0488Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)

Product - SAP CRM and SAP S/4HANA (Scripting Editor)
Version(s) - S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801

Critical

9.9

3674774

[CVE-2026-0509Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Product - SAP NetWeaver Application Server ABAP and ABAP Platform
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19

Critical

9.6

3697567

[CVE-2026-23687XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

Product - SAP NetWeaver AS ABAP and ABAP Platform
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917, SAP_BASIS 918

High

8.8

3703092

[CVE-2026-23689Denial of service (DOS) in SAP Supply Chain Management

Product - SAP Supply Chain Management
Version(s) - SCMAPO 713, 714, SCM 700, 701, 702, 712

High

7.7

3705882

[CVE-2026-24322Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

Product - SAP Solution Tools Plug-In (ST-PI)
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758

High

7.7

3654236

[CVE-2026-0490Denial of service (DOS) in SAP BusinessObjects BI Platform

Product - SAP BusinessObjects BI Platform
Version(s) - ENTERPRISE 430, 2025, 2027

High

7.5

3678282

[CVE-2026-0485Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform

Product - SAP BusinessObjects BI Platform
Version(s) - ENTERPRISE 430, 2025, 2027

High

7.5

3692405

[CVE-2025-12383Race Condition in SAP Commerce Cloud

Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21

High

7.4

3674246

[CVE-2026-0508Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027

High

7.3

3672622

[CVE-2026-0484Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA

Product - SAP NetWeaver Application Server ABAP and SAP S/4HANA
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

6.5

3695912

[CVE-2026-24324Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools)

Product - SAP BusinessObjects Business Intelligence Platform (AdminTools)
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

6.5

3678417

[Multiple CVEs] Multiple vulnerabilities in BSP Applications of SAP Document Management System

Additional CVE - CVE-2026-0505CVE-2026-24323
Product - SAP Document Management System
Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606, 617

Medium

6.1

3688319

[CVE-2026-24328Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)

Product - Business Server Pages Application (TAF_APPLAUNCHER)
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758

Medium

6.1

3503138

Update to Security Note released on January 2025 Patch Day:

[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Product  SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
Version(s) – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 9.14

Medium

6.0

3689543

[CVE-2026-23684Race condition vulnerability in SAP Commerce Cloud

Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

Medium

5.9

3679346

[CVE-2026-24319Information Disclosure Vulnerability in SAP Business One (B1 Client Memory Dump Files)

Product - SAP Business One (B1 Client Memory Dump Files)
Version(s) - B1_ON_HANA 10.0, SAP-M-BO 10.0

Medium

5.8

3687771

[CVE-2026-24321Information Disclosure vulnerability in SAP Commerce Cloud

Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

Medium

5.3

3710111

[CVE-2026-24312Missing authorization check in SAP Business Workflow

Product - SAP Business Workflow
Version(s) - SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.2

3691645

[CVE-2026-0486Missing Authorization Check in ABAP based SAP systems

Product - ABAP based SAP systems
Version(s) - ST-PI 2005_1_700, 2008_1_710, 740, 758

Medium

5.0

3697256

[CVE-2026-24325Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)

Product - SAP BusinessObjects Enterprise (Central Management Console)
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

4.8

3687285

[CVE-2026-23685Insecure Deserialization vulnerability in SAP NetWeaver (JMS service)

Product - SAP NetWeaver (JMS service)
Version(s) - J2EE-FRMW 7.50

Medium

4.4

3215823

[CVE-2026-23688Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services)

Product - SAP Fiori App (Manage Service Entry Sheets - Lean Services)
Version(s) - S4CORE 102, 103, 104, 105, 106, 107

Medium

4.3

3680416

[CVE-2026-23681Missing Authorization check in a function module in SAP Support Tools Plug-In

Product - SAP Support Tools Plug-In
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758

Medium

4.3

3678009

[CVE-2026-24326Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)

Product - SAP S/4HANA Defense & Security (Disconnected Operations)
Version(s) - EA-DFPS 600, 603, 604, 605, 606, 616, 617, 618, 619, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809

Medium

4.3

3680390

[CVE-2026-24327Missing Authorization Check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application)

Product - SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application)
Version(s) - SEM-BW 600, 700, 602, 603, 604, 605, 634, 736, 746, 747, 748, 800

Medium

4.3

3673213

[CVE-2026-23686CRLF Injection vulnerability in SAP NetWeaver Application Server Java

Product - SAP NetWeaver Application Server Java
Version(s) - LMNWABASICAPPS 7.50

Low

3.4

3678313

[CVE-2026-24320Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)

Product - SAP NetWeaver and ABAP Platform (Application Server ABAP)
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.16, 9.17, 9.18

Low

3.1

1 new security note was released after the scheduled monthly patch day. Additionally, 4 previously released security notes were updated.

3697567

Update to Security Note released on February 2026 Patch Day:

[CVE-2026-23687XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

Product - SAP NetWeaver AS ABAP and ABAP Platform
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917, SAP_BASIS 918

High

8.8

3695912

Update to Security Note released on February 2026 Patch Day:

[CVE-2026-24324Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools)

Product - SAP BusinessObjects Business Intelligence Platform (AdminTools)
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

6.5

3672622

Update to Security Note released on February 2026 Patch Day:

[CVE-2026-0484Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA

Product - SAP NetWeaver Application Server ABAP and SAP S/4HANA
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

6.5

3396109

Update to Security Note released on February 2024 Patch Day:

[CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML

Product - SAP NWBC for HTML
Versions – SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731

Medium

4.7

3646297

[CVE-2026-24314Information Disclosure vulnerability in SAP S/4HANA (Manage Payment Media)

Product - S/4HANA (Manage Payment Media)
Version(s) - UIAPFI70 600, 700, 800, 900, 901, 902, UIS4H 109

Medium

4.3

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.