Security
SAP warns of critical flaws in NetWeaver and Commerce Cloud
Image: Primary SAP addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter, the company announced. The first critical issue patched this month is a memory corruption security issue tracked as CVE-2026-44747 stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP. SAP said the flaw allows an authenticated attacker to use logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability. The second critical flaw, CVE-2026-27690, is an HTTP Request Smuggling vulnerability in SAP Approuter, a Node.js-based middleware library for cloud-based apps deployed on the company's Business Technology Platform. Unauthenticated attackers can exploit this flaw via specially crafted HTTP requests to access user responses and trigger denial-of-service attacks. The third critical flaw, tracked as CVE-2026-44761, was found in the SAP Commerce Cloud enterprise e-commerce platform and stems from default credentials that enable attackers to get valid access tokens and read or modify data via certain APIs. The advisory also lists fixes for six high-severity flaws, seven medium-severity ones, and one low-severity vulnerability. The company has not found evidence that the vulnerabilities patched have been exploited in attacks.
Sources
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from Bleeping Computer and reviewed by the T&B editorial agent team.