The April 2026 SAP Security Patchday has arrived, and while the volume seems manageable (22 notes in total), the “devil in the details” has rarely been more apparent. Here is our breakdown of what you need to prioritize and why you shouldn’t trust a CVSS score alone. A great reminder that risk is not just about the score, but the context.
We highly recommend checking out our webinar (in german) from Sebastian Schönhöfer as well, who demonstrated how a seemingly moderate CVSS 5.5 vulnerability can still have a significant impact on SAP systems.
The Numbers at a Glance
20 New Security Notes + 2 updates to existing notes.
We do see a heavy focus on SAP NetWeaver AS ABAP in this month. As well as 3 notes for BusinessObjects and 1 for AS Java.
We can clearly see a shift in attack vectors. While the previous months were dominated by RFC-based fixes, we are now seeing an uptick in vulnerabilities within OData services, ICF nodes, and RAP-based CDS view implementations.
The “Urgent” Highlight: CVSS 9.9 (CVE-2026-27681)
The most prominent note of the month is a critical SQL Injection vulnerability in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW).
BUT: Do not let the name fool you. While the component contains “Business Warehouse,” this note is highly relevant for SAP ECC and SAP S/4HANA systems as well (both on-premise and in ECS).
This vulnerability allows full database access (Read/Write). If you run S/4HANA or ECC, do not skip this just because you “don’t run a standalone BW.”
Check your patch levels and implement this IMMEDIATELY.
Why “Reading to the End” Matters (The CVSS 2.0 Trap)
We often see teams sorting by CVSS score and stopping once they hit the “Low” ratings. This month proves why that is a dangerous strategy.
Let’s have a look at Note 3723097 [CVE-2026-27675]: A Code Injection in SAP Landscape Transformation (SLT).
What we do see here is an ABAP Command Injection, hidden in an RFC-enabled Function Module that allows an attacker to overwrite includes.
It is rated at a mere CVSS 2.0, primarily because the namespace is limited and a basic authority check exists.
In reality, in the hands of a clever attacker, this is still a powerful tool for lateral movement.
Implementation is necessary!
Our Takeaway
Security isn’t a “top-down” list, it’s a holistic review. Whether it’s an OData service in a new RAP model or a mislabeled BW component in your S/4 core, the context of your specific landscape is everything.
Are you confused by the monthly flood of notes?
Analyzing these notes manually takes time you might not have. If you want to ensure you never miss a critical fix like the one hidden in SLT this month, let us help you.
Check out our SAP Security Notes Service to streamline your patching process and keep your systems resilient.