SAP Product Security Update Advisory
Overview.
SAP fixed vulnerabilities in a number of products through the April 2026 security update.
Affected and vulnerabilities.
CVE-2026-27681 is a SQL injection vulnerability in SAP Business Planning and Consolidation (HANABPC 810, BPC4HANA 300) and SAP Business Warehouse (SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816).
CVE-2026-34256 is a missing authorization check vulnerability in SAP ERP (SAP_FIN 618, 720, 730, EA-FIN 617, 700, EA-APPL 600, 602, 603, 604, 605, 606) and SAP S/4HANA (Private Cloud and On-Premise: SAPSCORE 135, S4CORE 102, 103, 104, 105, 106, 107, 108, 109).
Attack Method and Impact.
SQL injection vulnerabilities allow database queries to be manipulated through malicious input, which could lead to data exfiltration, integrity compromise, or further malicious behavior.
the missing authorization check vulnerability could potentially lead to access to certain functions or privilege escalation by an unauthorized user.
Response and Advisory.
SAP has released security patches for each vulnerability and the vulnerabilities have been resolved with the latest security patches.
sAP recommends that affected products and versions be updated to the latest patch by checking the security notes and patch information provided by SAP.
References.
- SAP Security Patch Day – April 2026: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html.
- CVE-2026-27681 Security Note: https://me.sap.com/notes/3719353.
- CVE-2026-34256 Security Note: https://me.sap.com/notes/3731908.