SAP Product Security Update Advisory

Overview

 

We have released security updates to fix vulnerabilities in SAP products. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2026-0491

 

SAP Landscape Transformation versions: Dmis 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020

 

CVE-2026-0492

 

SAP HANA database version: HDB 2.00

 

CVE-2026-0498

 

SAP S/4HANA (Private Cloud and On-Premise) versions: S4CORE 102, 103, 104, 105, 106, 107, 108, 109

 

CVE-2026-0500

 

SAP Wily Introscope Enterprise Manager (WorkStation) versions: WILY_INTRO_ENTERPRISE 10.8

 

CVE-2026-0501

 

SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) versions: S4CORE 102, 103, 104, 105, 106, 107, 108, 109

 

CVE-2026-0506

 

SAP NetWeaver Application Server ABAP and ABAP Platform versions: SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

 

CVE-2026-0507

 

SAP Application Server for ABAP version: KRNL64UC 7.53
SAP Application Server for ABAP versions: KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16
SAP NetWeaver RFC SDK version: NWRFCSDK 7.50

 

CVE-2026-0511

 

SAP Fiori App (Intercompany Balance Reconciliation) version: UIAPFI70 500, 600, 700, 800, 900, 901, 902
SAP Fiori App (Intercompany Balance Reconciliation) versions: S4CORE 102, 103, 104, 105, 106, 107, 108

 

 

Resolved Vulnerabilities

 

Code Injection Vulnerability in SAP Landscape Transformation (CVE-2026-0491)
Privilege escalation vulnerability in SAP HANA database (CVE-2026-0492)
Code Injection Vulnerability in SAP S/4HANA (Private Cloud and On-Premise) (CVE-2026-0498)
Remote Code Execution Vulnerability in SAP Wily Introscope Enterprise Manager (WorkStation) (CVE-2026-0500)
SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) (CVE-2026-0501)
Missing Authorization Check Vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform (CVE-2026-0506)
OS Command Injection Vulnerability in SAP Application Server for ABAP, SAP NetWeaver RFC SDK (CVE-2026-0507)
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation) (CVE-2026-0511)

 

 

Vulnerability Patches

Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2026-0491, CVE-2026-0492, CVE-2026-0498, CVE-2026-0500, CVE-2026-0501, CVE-2026-0506, CVE-2026-0507, CVE-2026-0511

 

Separate security patches are available [2][3][4][5][6][7][8][9]

 

 

References

 

[1] SAP Security Patch Day – January 2026
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html
[2] CVE-2026-0491
https://me.sap.com/notes/3697979
[3] CVE-2026-0492
https://me.sap.com/notes/3691059
[4] CVE-2026-0498
https://me.sap.com/notes/3694242
[5] CVE-2026-0500
https://me.sap.com/notes/3668679
[6] CVE-2026-0501
https://me.sap.com/notes/3687749
[7] CVE-2026-0506
https://me.sap.com/notes/3688703
[8] CVE-2026-0507
https://me.sap.com/notes/3675151
[9] CVE-2026-0511
https://me.sap.com/notes/3565506