Critical SQL Injection Vulnerability in SAP Products Requires Immediate Patching

Severity: High (Score: 75.8)

Sources: Heise.De, Ccb.Belgium.Be, support.sap.com

Summary

On April 14, 2026, SAP released 19 new security notes addressing multiple vulnerabilities, including one critical SQL injection vulnerability (CVE-2026-27681) affecting SAP Business Planning and Consolidation and SAP Business Warehouse. This vulnerability, rated CVSS 9.9, allows authenticated users to execute arbitrary SQL commands due to insufficient authorization checks, potentially leading to unauthorized access and data manipulation. Additionally, another high-risk vulnerability (CVE-2026-34256) allows attackers to overwrite executable ABAP reports in SAP ERP and SAP S/4HANA. SAP has classified the majority of the vulnerabilities as medium risk, with two being low threat levels. IT managers are advised to check for affected software and apply the necessary updates immediately. The Centre for Cybersecurity Belgium has emphasized the urgency of patching vulnerable instances to protect against potential exploitation. Key Points: • CVE-2026-27681 is a critical SQL injection vulnerability with a CVSS score of 9.9. • SAP recommends immediate patching of affected systems to mitigate risks. • The vulnerabilities could lead to unauthorized access, data manipulation, and denial of service.

Key Entities

• Data Breach (attack_type)
• Sql Injection (attack_type)
• CVE-2026-27681 (cve)
• CVE-2026-34256 (cve)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• SAP (company)
• SAP Business Planning And Consolidation (platform)
• SAP Business Warehouse (platform)
• SAP ERP (platform)
• SAP NetWeaver Application Server ABAP (platform)
• SAP S/4HANA (platform)