SAP released 15 security notes on its June 2026 Security Patch Day, including four vulnerabilities rated critical with CVSS scores of 9.0 or above. The most severe — CVE-2026-44748, a CVSS 9.9 XML Signature Wrapping flaw in SAP NetWeaver’s SAML-based authentication — allows unauthenticated attackers to forge authentication assertions and gain access to enterprise systems without valid credentials.
CVE-2026-44748: CVSS 9.9 XML Signature Wrapping in SAP NetWeaver SAML Authentication
SAP NetWeaver’s SAML authentication implementation is vulnerable to an XML Signature Wrapping attack — a technique in which an attacker manipulates the structure of a signed XML document to alter its meaning while leaving the digital signature technically valid. In CVE-2026-44748, this allows an unauthenticated attacker to craft a forged authentication assertion that SAP NetWeaver accepts as legitimate, granting unauthorized access to the affected system without requiring any valid user credentials.
CVSS 9.9 places this vulnerability at the near-maximum end of the severity scale. SAP NetWeaver underpins business-critical operations across finance, manufacturing, and government sectors, making unauthenticated authentication bypass a high-priority threat for enterprise security teams managing SAP deployments.
CVE-2026-27671: CVSS 9.8 Memory Corruption in the SAP ABAP RFC Gateway
The second critical vulnerability, CVE-2026-27671, is a CVSS 9.8 unauthenticated memory corruption flaw in the ABAP RFC gateway — the component that handles Remote Function Call communication across SAP’s core ERP platform. The RFC gateway manages internal and external system-to-system communication in SAP environments, and a memory corruption flaw at this layer is exploitable without authentication, placing it among the most dangerous vulnerabilities in this month’s release.
CVE-2026-22732 and CVE-2026-40128 Complete SAP’s Four-Critical June Patch Cluster
Two additional critical vulnerabilities round out June’s four highest-severity SAP disclosures. CVE-2026-22732 (CVSS 9.1) is a Spring Security authentication bypass affecting SAP Commerce Cloud — the e-commerce platform that handles customer-facing transactions for many SAP-linked retail and B2B operations. CVE-2026-40128 (CVSS 9.0) is a directory traversal vulnerability in SAP NetWeaver that allows unauthorized file system access on affected servers.
All four vulnerabilities share the characteristic that exploiting them requires no prior authentication, making each viable for external attackers who can reach exposed SAP services over a network.
Why SAP’s June Critical Vulnerabilities Demand Immediate Enterprise Attention
SAP systems are deployed across critical infrastructure sectors globally. The combination of CVE-2026-44748’s authentication bypass in NetWeaver SAML and CVE-2026-27671’s memory corruption in the ABAP RFC gateway creates two independent paths through which unauthenticated external actors could gain footholds in SAP environments that have not yet applied June’s patches.
How Authentication Bypass Flaws in SAP NetWeaver Create Initial Access Risk for Enterprise Networks
NetWeaver serves as the technical foundation for a wide range of SAP applications, meaning CVE-2026-44748 does not affect a single product in isolation — it affects the authentication layer that governs access across NetWeaver-based deployments. An attacker exploiting this vulnerability to forge authentication assertions could access ERP data, initiate transactions, or move laterally into connected enterprise systems depending on how SAP is integrated within a given organization’s architecture.
The 15 security notes released in June’s Patch Day span multiple SAP products, but the four critical vulnerabilities in NetWeaver, the ABAP RFC gateway, Commerce Cloud, and NetWeaver’s file system components represent the highest-risk exposure in this release. Organizations running SAP in manufacturing, finance, and government sectors — where SAP deployment is most concentrated — face the greatest exposure from delayed patching.
SAP Security Patch Days follow a monthly schedule, and the June 2026 release carries a larger critical vulnerability count than several preceding months. Security teams should prioritize CVE-2026-44748 and CVE-2026-27671 given their unauthenticated exploitation paths and CVSS scores placing them within the top tier of vulnerability severity.
