SAP Security Patch Day – April 2026
April brought a moderate release: on April 14, SAP published 19 new security notes and 1 update to a previously released one, bringing the total to 20 entries, a step up from March’s 15, though still well below February’s volume. The severity distribution tells a different story, though. With only 1 Critical note, this is the first month of 2026 where a single vulnerability holds the top spot, and it’s a CVSS 9.9 SQL Injection that deserves full attention on its own.
The breakdown is 1 Critical (CVSS 9.9), 1 High (CVSS 7.1), 17 Medium (CVSS 4.1–6.5), and 1 Low (CVSS 3.1). Missing Authorization is once again the dominant vulnerability class, accounting for nearly half the notes, confirming what has by now become the clearest trend of 2026. One update was released, revisiting a November 2025 note for SAP S/4HANA Journal Entries.
.
Key Highlights by Severity
Critical Priority (CVSS 9.9)
Note 3719353 addresses a SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. An authenticated user with low privileges can exploit insufficient authorization controls on the ABAP program upload functionality to execute crafted SQL statements — reading, modifying, and deleting data across the database, with full impact on confidentiality, integrity, and availability. The fix takes a straightforward approach: it deactivates all executable code within the affected ABAP program entirely. A workaround is available by revoking the S_GUI authorization object with Activity 60 (Upload) from user accounts, which is worth implementing immediately if patching can’t happen right away.
High Priority (CVSS 7.1)
Note 3731908 covers a Missing Authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise) that lets an authenticated attacker execute a specific ABAP report to overwrite any existing eight-character executable ABAP report without authorization. If one of those overwritten reports gets executed afterward, the system’s intended functionality could break. The impact is high on availability and low on integrity, with no effect on confidentiality. A temporary workaround is available by assigning an authorization group to the affected programs (RGJVCORG and RGJVCORX) through SE38.
Key Affected Components
SAP S/4HANA is by far the most affected product this month, with six notes touching different layers of the platform. Three of them target OData services — specifically the Manage Reference Equipment (Note 3715097), Backend OData for Manage Reference Structures (Note 3715177), and Frontend OData for Manage Reference Structures (Note 3716767) — all involving missing authorization checks on child entities that allow unauthorized update and delete operations. These three notes are closely related and SAP explicitly requires implementing 3715177 and 3716767 together to get the complete fix. Additional S/4HANA notes address Missing Authorization in Financial and HR areas, and a separate note covers the Journal Entries update.
SAP BusinessObjects Business Intelligence Platform shows up again with three notes: a DoS via Apache Struts resource exhaustion in multipart request processing (Note 3696239, CVSS 6.5) — another third-party library issue, this time in Struts versions up to 6.7.0 — an Insecure Session Management vulnerability (Note 3702191, CVSS 4.2), and a Reflected XSS (Note 3698216, CVSS 4.1). BusinessObjects has now appeared in every single Patch Day of 2026, consistently drawing multiple notes per month.
SAP NetWeaver AS ABAP and AS Java contribute three notes: a Code Injection in Web Dynpro Java (Note 3719397, CVSS 6.1), an Open Redirect in AS ABAP spanning SAP_BASIS 700–816 (Note 3692004, CVSS 6.1), and a CSS Injection in SAP_UI 758/816 (Note 3665042, CVSS 3.1). The Code Injection in Web Dynpro Java is worth flagging separately — even at medium severity, code injection in a web runtime component represents a non-trivial attack surface.
SAP Human Capital Management, SAP Business Analytics and Content Management, SAP Landscape Transformation, SAP Supplier Relationship Management, SAP HANA Cockpit, and Material Master Application each contribute one note, reflecting the usual broad ecosystem spread. The Code Injection in SAP Landscape Transformation (Note 3723097) is worth noting — it affects DMIS versions all the way from 2011_1_700 through 2020 and S4CORE 102–109, continuing a pattern of LT vulnerabilities that already appeared in January 2026.
Notable Trends
1 – Missing Authorization continues to dominate Roughly half the notes this month involve missing or insufficient authorization checks across S/4HANA OData services, ERP ABAP reports, Business Analytics, HCM, and the Material Master application. Four months into 2026, this is no longer a trend — it’s the defining characteristic of this year’s patch cycle. The breadth of products affected suggests a systemic gap in how authorization is implemented and reviewed across SAP’s development lifecycle.
2 – S/4HANA OData services under scrutiny Three notes targeting different OData layers of the same functional area (Reference Equipment and Structures) landing in the same Patch Day is unusual. It points to a focused security review of Plant Maintenance OData services in S/4HANA 1909, where authorization checks on child entity operations were simply missing. Organizations running S4CORE 109 should treat these three notes as a bundle rather than applying them individually.
3 – Third-party libraries, again The BusinessObjects DoS (Note 3696239) traces back to an Apache Struts vulnerability affecting versions 2.0.0 through 6.7.0. Following March’s Log4j and OpenSSL findings, this is the third consecutive month where a notable vulnerability in a SAP product originates from a bundled third-party library. The pattern is consistent enough that organizations should now treat open-source component management as a standing priority, not a one-time exercise.
4 – Landscape Transformation code injection returns Note 3723097 brings code injection back to SAP Landscape Transformation — the same product affected in January 2026 (Note 3697979). While the CVEs differ, the recurrence in the same product and across the same wide range of DMIS versions raises the question of whether the January remediation was complete, or whether the same architectural weakness continues to yield new exploitable paths.
5 – One update, and it’s from November 2025 The single updated note (Note 3530544, CVE-2025-42899) revisits a Missing Authorization finding in SAP S/4HANA Manage Journal Entries originally released in November 2025. Organizations that applied the original note five months ago should verify whether the updated correction instructions change anything in their specific S4CORE version.
6 – Moderate volume, concentrated risk 19 new notes is a middle-ground volume for 2026, but the single Critical sits at the absolute top of the scoring scale — CVSS 9.9, same as February’s highest-severity note. The rest of the batch is predominantly medium severity, but the SQL Injection in BPC/BW alone justifies treating this as a high-urgency month for affected BW landscapes.
The botton line
April’s remediation priorities come down to a handful of clear actions:
- Emergency Patching for Note 3719353: the SQL Injection in SAP BPC and SAP BW is a CVSS 9.9 with full CIA impact and a clear exploit path via ABAP upload functionality. Until the patch is applied, revoking S_GUI Activity 60 from non-administrative users is a reasonable first line of defense.
- SAP ERP/S4HANA ABAP Report Overwrite (Note 3731908): the High-severity finding that allows authenticated users to overwrite executable reports is operationally dangerous in any landscape where those reports are actively used. Apply the workaround via SE38 authorization groups if patching is delayed.
- S/4HANA OData Bundle for Notes 3715097, 3715177, and 3716767: these must be implemented together in S4CORE 109 environments. Applying only the backend or only the frontend note leaves the fix incomplete.
- BusinessObjects Hardening for the three notes targeting BO this month (Notes 3696239, 3702191, and 3698216), prioritizing the Apache Struts DoS in deployments with external access.
- Landscape Transformation Review: with Note 3723097 representing the second code injection in SAP LT in four months, organizations should verify whether the January 2026 fix was fully applied across all DMIS versions, and treat this as a recurring area of concern.
- NetWeaver Code Injection in Web Dynpro Java (Note 3719397) and Open Redirect in AS ABAP (Note 3692004) should be prioritized within the medium-severity batch, particularly in internet-facing NetWeaver deployments.
- Prior Note Re-validation for CVE-2025-42899 (Note 3530544): organizations that patched in November 2025 should review the updated correction instructions to confirm nothing material changed for their version.
April reinforces a theme that has been building since January: the 2026 threat landscape isn’t defined by occasional spectacular vulnerabilities — it’s defined by a steady, wide-ranging accumulation of authorization gaps, repeated findings in the same products, and third-party dependencies that keep quietly showing up as critical risks. The SQL Injection in BPC/BW is urgent, but the real work this year is architectural.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.