Skip to content
Tech News
← Back to articles

SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA

2026-05-12 | original
read original get SAP Security Patch Kit → more articles
Why This Matters

The recent SAP security updates address critical vulnerabilities in Commerce Cloud and S/4HANA, highlighting the ongoing need for robust cybersecurity measures in enterprise software. These fixes are vital for protecting large-scale retail and ERP systems from potential cyberattacks that could compromise sensitive data and disrupt operations, emphasizing the importance of timely patching for both vendors and consumers.

Key Takeaways

SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in Commerce Cloud and S/4HANA.

Commerce Cloud is an enterprise-grade e-commerce platform used by online stores owned by large retailers and global brands, while S/4HANA is a cloud-based Enterprise Resource Planning (ERP) suite that will replace the company's on-premises ECC ERP system.

Tracked as CVE-2026-34263, the first critical flaw is a missing authentication check in SAP Commerce Cloud that allows unauthenticated attackers to execute code on vulnerable servers.

"Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application," SAP says.

The second critical vulnerability (CVE-2026-34260) enables attackers with basic privileges to inject malicious SQL statements in low-complexity SQL injection attacks.

"The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization," according to SAP. "Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected."

SAP's May 2026 security advisory also lists fixes for one high-severity flaw and 11 medium-severity issues, including command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service.

While SAP hasn't found evidence that any of the vulnerabilities patched today were exploited in the wild, CISA has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog in recent years, including two that were abused in ransomware attacks.

Most recently, multiple official SAP npm packages were compromised in a supply-chain attack aimed at stealing credentials and authentication tokens from developers' systems.

As the world's largest vendor of enterprise software, the German multinational software corporation serves 99 of the 100 largest companies worldwide and reported total revenues exceeding €36 billion in fiscal year 2025.

Explore topics: sap commerce cloud s/4hana spring security sql injection
Related:
Quick Share is coming to more phones, and expanding into apps
WhatsApp beta previews Liquid Glass changes for message reactions, more
WhatsApp Plus subscriptions rolling out to iPhone, but you probably don’t need one
We accidentally recreated old Facebook
France moves to break encrypted messaging

© 2026 GoKawiil

About | Editorial Policy | Contact