SAP Security Patch Day - January 2026

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 13th of January 2026, SAP security patch day saw the release of 17 new security notes. There are no updates to previously released patch day security notes.

Note#

Title

Priority

CVSS

3687749

[CVE-2026-0501SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger)

Product - SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger)
Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109

Critical

9.9

3668679

[CVE-2026-0500Remote code execution in SAP Wily Introscope Enterprise Manager (WorkStation)

Product - SAP Wily Introscope Enterprise Manager (WorkStation)
Version(s) - WILY_INTRO_ENTERPRISE 10.8

Critical

9.6

3694242

[CVE-2026-0498Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)

Product - SAP S/4HANA (Private Cloud and On-Premise)
Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109

Critical

9.1

3697979

[CVE-2026-0491Code Injection vulnerability in SAP Landscape Transformation

Product - SAP Landscape Transformation
Version(s) - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020

Critical

9.1

3691059

[CVE-2026-0492Privilege escalation vulnerability in SAP HANA database

Product - SAP HANA database
Version(s) - HDB 2.00

High

8.8

3675151

[CVE-2026-0507OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK

Product - SAP Application Server for ABAP and SAP NetWeaver RFCSDK
Version(s) - KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16

High

8.4

3565506

[CVE-2026-0511Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)

Additional CVE - CVE-2026-0496, CVE-2026-0495

Product - SAP Fiori App (Intercompany Balance Reconciliation)
Version(s) - UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108

High

8.1

3688703

[CVE-2026-0506Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Product - SAP NetWeaver Application Server ABAP and ABAP Platform
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

High

8.1

3681523

[CVE-2026-0503Missing Authorization check in SAP ERP Central Component and SAP S/4HANA (SAP EHS Management)

Product - SAP ERP Central Component and SAP S/4HANA (SAP EHS Management)
Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606, 617

Medium

6.4

3687372

[CVE-2026-0499Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Product - SAP NetWeaver Enterprise Portal
Version(s) - EP-RUNTIME 7.50

Medium

6.1

3666061

[CVE-2026-0514Cross-Site Scripting (XSS) vulnerability in SAP Business Connector

Product - SAP Business Connector
Version(s) - SAP BC 4.8

Medium

6.1

3638716

[CVE-2026-0513Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)

Product - SAP Supplier Relationship Management (SICF Handler in SRM Catalog)
Version(s) - SRM_SERVER 700, 701, 702, 713, 714

Medium

4.7

3655227

[CVE-2026-0494Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)

Product - SAP Fiori App (Intercompany Balance Reconciliation)
Version(s) - UIAPFI70 500, 600, 700, 800, 900, 901, 902, UIS4H 109

Medium

4.3

3655229

[CVE-2026-0493Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)

Product - SAP Fiori App (Intercompany Balance Reconciliation)
Version(s) - UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, UIS4H 109

Medium

4.3

3677111

[CVE-2026-0497Missing Authorization check in Business Server Pages Application (Product Designer Web UI)

Product - Business Server Pages Application (Product Designer Web UI)
Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606, 617

Medium

4.3

3657998

[CVE-2026-0504Insufficient Input Handling in JNDI Operations of SAP Identity Management

Product - SAP Identity Management
Version(s) - IDM_CLM_REST_API 8.0, IDMIC 8.0

Low

3.8

3593356

[CVE-2026-0510Obsolete Encryption Algorithm Used in NW AS Java UME User Mapping

Product - NW AS Java UME User Mapping
Version(s) - ENGINEAPI 7.50, SERVERCORE 7.50, UMEADMIN 7.50

Low

3.0

1 new security note was released after the scheduled monthly patch day. Additionally, 1 previously released security note was updated.

3697979

Update to Security Note released on January 2026 Patch Day:

[CVE-2026-0491Code Injection vulnerability in SAP Landscape Transformation

Product - SAP Landscape Transformation
Version(s) - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020

Critical

9.1

3122486

[CVE-2026-23683Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)

Product - SAP Fiori App (Intercompany Balance Reconciliation)
Version(s) - S4CORE 102, 103, 104, 105, 106

Medium

4.3

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.