Safeguard
Vulnerability Analysis

SAP May 2026: Two CVSS 9.6 Bugs Put S/4HANA SQL and Commerce Cloud RCE in the Crosshairs

SAP's May 2026 Patch Day fixed two critical CVSS 9.6 flaws: CVE-2026-34260, an authenticated SQL injection in S/4HANA Enterprise Search, and CVE-2026-34263, an unauthenticated configuration-upload-to-RCE in SAP Commerce Cloud. Both carry cross-scope impact.

Safeguard Research Team
Threat Intelligence
12 min read

The same week Microsoft was celebrating its first zero-day-free Patch Tuesday since 2024, SAP shipped a Security Patch Day that was anything but quiet. On May 12, 2026, SAP released 16 Security Notes, two of which carry a CVSS score of 9.6 and land squarely on the systems most enterprises consider their crown jewels: the S/4HANA ERP core and the Commerce Cloud storefront platform. CVE-2026-34260 is an authenticated SQL injection in SAP S/4HANA's Enterprise Search for ABAP. CVE-2026-34263 is an unauthenticated configuration-upload-to-code-execution flaw in SAP Commerce Cloud. Both produce a "cross-scope" compromise, meaning the impact escapes the vulnerable component's security boundary.

ERP and commerce platforms are a different category of target from a web app or a CI runner. S/4HANA sits on top of the financial, procurement, HR, and supply-chain data that runs the business; SAP Commerce Cloud is the revenue-generating storefront and the order pipeline behind it. A successful attack here is not "a server got popped" — it is potential access to general-ledger data, payment flows, vendor master records, and the integration fabric that ties SAP to everything else. National CERTs noticed: Belgium's Centre for Cyber Security (CCB) issued a warning urging immediate patching, and SAP-specialist firms Onapsis and Pathlock both flagged the release as one to act on within hours, not the usual change-window weeks.

This post breaks down both vulnerabilities, why their respective authentication requirements matter less than they look, what exploitation and detection look like on an SAP estate, and the order in which to act. No in-the-wild exploitation had been reported at the time of writing, which — as with the Microsoft Netlogon bug the same week — is a head start, not a reason to relax.

TL;DR

  • CVE-2026-34263 (SAP Commerce Cloud, CVSS 9.6) is the more urgent of the two: an unauthenticated attacker can abuse an overly permissive security configuration with improper rule ordering to upload a malicious configuration and inject code, achieving arbitrary server-side code execution. Full compromise of confidentiality, integrity, and availability, with cross-scope impact. SAP Note 3733064.
  • CVE-2026-34260 (SAP S/4HANA, CVSS 9.6) is an authenticated SQL injection in Enterprise Search for ABAP. A logged-in attacker can inject SQL with high impact on confidentiality and availability and a cross-scope reach. SAP Note 3724838.
  • Affected: Commerce Cloud — HY_COM 2205, COM_CLOUD 2211, 2211-JDK21. S/4HANA — SAP_BASIS 751 through 758 and 816.
  • No public exploitation reported at release for either.
  • Action: apply SAP Note 3733064 (Commerce) as an emergency change immediately; apply SAP Note 3724838 (S/4HANA) within 24 hours per SAP's prioritization. Restrict network exposure of both in the meantime.
  • This was part of a broad enterprise-software patch week alongside Microsoft, Ivanti, Fortinet, VMware, and others.

What happened

SAP's monthly Security Patch Day fell on May 12, 2026 and comprised 16 Security Notes spanning the product portfolio. Two were rated critical at CVSS 9.6:

  • CVE-2026-34263 — SAP Commerce Cloud, an unauthenticated authentication-bypass-to-RCE, addressed in SAP Note 3733064.
  • CVE-2026-34260 — SAP S/4HANA (Enterprise Search for ABAP), an authenticated SQL injection, addressed in SAP Note 3724838.

Both carry a "scope changed" CVSS vector, which is where the 9.6 comes from. A scope change means the vulnerable component can affect resources beyond its own security authority — in SAP terms, a bug in one module reaching across into data or execution contexts it should never touch. That is the property that turns a single-component flaw into an enterprise-wide problem.

CVE-2026-34263 — Commerce Cloud: unauthenticated config upload to RCE

This is the one to patch first, because it removes the single biggest mitigating factor any vulnerability can have: the need to log in.

The root cause is a configuration weakness rather than a classic memory or injection bug. SAP Commerce Cloud ships with a security configuration whose rule ordering is improper and overly permissive, such that an unauthenticated user can reach functionality that should be gated. Per the advisory, that exposure lets an attacker perform a malicious configuration upload and code injection, resulting in arbitrary server-side code execution. In other words: the access-control rules that are supposed to keep anonymous users away from the configuration-upload path are evaluated in the wrong order, the deny never wins, and the upload path becomes a remote-code-execution primitive.

The illustrative attack shape (not a working exploit, details omitted):

# Illustrative — SAP Commerce Cloud CVE-2026-34263 abuse path
1. Anonymous request reaches a configuration/upload endpoint that
   should require authentication
2. Permissive + mis-ordered access rules fail to deny the request
3. Attacker uploads a crafted configuration artifact containing
   injectable code
4. Server processes the artifact -> attacker-controlled code runs
   in the Commerce Cloud server context

Because the result is server-side code execution on the storefront platform, the downstream consequences are broad: theft of customer and order data, tampering with pricing or checkout, planting persistence, and pivoting into the back-end systems Commerce Cloud integrates with. The cross-scope rating reflects exactly that ability to reach beyond the storefront. SAP designates this an emergency-patch item, and CCB Belgium's advisory echoed that urgency.

Affected packages are HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21. The fix is SAP Note 3733064.

CVE-2026-34260 — S/4HANA: authenticated SQL injection in Enterprise Search

CVE-2026-34260 is a SQL injection vulnerability in SAP S/4HANA, specifically in the Enterprise Search for ABAP component. An authenticated attacker can inject malicious SQL statements through user input that is concatenated into a query without adequate sanitization or parameterization. The advisory describes high impact on confidentiality and availability and, again, a cross-scope effect.

The "authenticated" qualifier reads like a comfort, but on a real S/4HANA system it is a thin one. These platforms commonly have hundreds or thousands of named users, broad internal reachability, and a long history of weak or reused service-account credentials. An attacker who has phished a single low-privilege business user, or who has reached the system through the internal network after an initial foothold elsewhere, satisfies the precondition. From there, SQL injection against the database underpinning S/4HANA reaches the most sensitive data the enterprise holds — finance, procurement, payroll, vendor masters — and the cross-scope vector indicates the injection can affect data and operations beyond the searching user's intended authority.

Illustrative mechanism (not exploit code):

# Illustrative — CVE-2026-34260 class
search_term = user_input          # from an Enterprise Search query
query = "SELECT ... WHERE field = '" + search_term + "'"   # concatenation
# A crafted search_term breaks out of the literal and appends
# attacker-controlled SQL, executed with the query's DB scope.

Affected versions span SAP_BASIS 751 through 758 and 816. The fix is SAP Note 3724838, which SAP prioritizes for application within 24 hours.

Why authentication status is the wrong lens

The instinct on an ERP estate is to triage by "does it need a login." That instinct misranks these two bugs only slightly — Commerce Cloud's unauthenticated RCE is correctly first — but it badly underweights the S/4HANA SQL injection. On internet-facing or partner-facing systems, "unauthenticated" is the dividing line. Inside the SAP landscape, the more useful questions are: which systems are reachable from where, how strong is the credential hygiene around them, and what does the cross-scope vector let the bug touch once triggered. Both of these CVEs have cross-scope impact, which is the property that turns either one from a contained incident into a landscape-wide one. Treat both as critical and let exposure and reachability, not just the auth flag, set the deployment order.

Detection

For CVE-2026-34263 (Commerce Cloud):

  • Anonymous or unauthenticated requests reaching configuration, import, or upload endpoints. Any successful access to administrative or config-upload paths without a prior authenticated session is a strong signal.
  • New or modified configuration artifacts on Commerce Cloud nodes that do not correspond to a tracked change.
  • New child processes, outbound connections, or files written by the Commerce Cloud / Hybris server process — classic post-RCE behavior.
  • Web-server access logs showing POST or PUT to config/upload routes from external or unexpected source IPs.

For CVE-2026-34260 (S/4HANA):

  • SQL syntax errors, unusually long, or specially-structured search inputs in Enterprise Search for ABAP, surfaced through SAP application logs and the SAP Security Audit Log.
  • Database-level anomalies: queries from the Enterprise Search context touching tables outside its normal working set, or returning far more data than a search should.
  • Use of SAP threat-monitoring tooling (Onapsis, Pathlock, and similar) tuned to the Enterprise Search component, which is where coverage gaps usually hide on SAP estates.

A practical reality for both: SAP telemetry is frequently under-collected. Many security teams have rich endpoint and network coverage but treat the SAP landscape as a black box owned by the Basis team. If the SAP Security Audit Log is not flowing to your SIEM, you have no detection for either of these bugs regardless of how good your rules are elsewhere.

What to do Monday morning

Ordered by urgency:

  1. Apply SAP Note 3733064 for Commerce Cloud (CVE-2026-34263) as an emergency change, now. This is the unauthenticated RCE. If a maintenance window is days away, that is too late; treat it as you would an internet-facing zero-day.
  2. Apply SAP Note 3724838 for S/4HANA (CVE-2026-34260) within 24 hours, per SAP's own prioritization. Do not let the "authenticated" label slide it into the routine queue.
  3. Restrict network exposure while patching. Ensure SAP Commerce Cloud admin and configuration endpoints are not reachable from the public internet or untrusted segments, and that S/4HANA is segmented away from general user networks. This buys time; it is not a fix.
  4. Confirm exact versions. Map your installed HY_COM, COM_CLOUD, and SAP_BASIS levels against the affected ranges before assuming you are or are not exposed.
  5. Turn on the lights. Verify the SAP Security Audit Log is enabled and shipping to your SIEM, with coverage for Enterprise Search and Commerce config endpoints, so you can detect exploitation of any straggler systems.
  6. Review credential hygiene around S/4HANA. Given that CVE-2026-34260 needs only a valid login, audit and rotate weak, shared, and dormant accounts, and confirm MFA on user access paths into the ERP.
  7. Catalog SAP in your vulnerability program. If these CVEs were not on your radar until a CERT advisory, that is the real finding. ERP belongs in the same intake and prioritization flow as everything else.

Why this keeps happening

SAP critical CVEs follow a recognizable rhythm, and these two are textbook examples of the two dominant classes. CVE-2026-34263 is a configuration/authorization defect — permissive defaults and mis-ordered access rules — which is the most common way SAP's enormous, deeply configurable platforms expose functionality that should be gated. CVE-2026-34260 is an injection bug in a sprawling ABAP codebase where decades of query construction did not uniformly adopt parameterization. Both stem from scale and age: SAP landscapes are vast, highly customized, integration-heavy, and frequently kept several support-package levels behind because patching them is operationally painful and business-critical downtime is expensive.

That patching friction is the structural problem. The systems most worth protecting are the ones organizations are most reluctant to touch, so SAP fixes routinely sit unapplied for months. Attackers know this; SAP CVEs have a long history of being weaponized well after disclosure precisely because the patch lag is so predictable. The recurrence is less about SAP shipping unusually buggy code and more about an ecosystem where the gap between "patch available" and "patch applied" is measured in quarters.

The structural fix

The honest leverage here is on dwell time and the patch-lag gap, not prevention. The recurring failure on SAP estates is not that the patch did not exist — it is that the affected systems were not in the vulnerability-management flow at all, so the advisory arrived as a surprise from a national CERT rather than as a ranked item in the queue. Bringing ERP and commerce platforms into the same intake means knowing your installed SAP_BASIS and COM_CLOUD levels as data, mapping them against advisories automatically, and ranking the result with exploitation signals like EPSS and KEV rather than re-litigating severity by hand. Policy-as-code enforcement can make "internet-facing Commerce admin endpoint" a violation that surfaces before an advisory does, and reachability-aware prioritization helps separate the SAP components that are actually exposed from the ones that merely appear in a bulletin. None of this patches SAP for you; it closes the visibility gap that turns a known, patched bug into a breach a quarter later.

What we know we don't know

  • Exploitation status. No public proof-of-concept or in-the-wild activity was reported for either CVE at release. SAP bugs have historically been weaponized after disclosure once researchers reconstruct them from the notes; absence of a PoC today is not durable safety.
  • Exact trigger paths. SAP Security Notes are access-gated and deliberately light on technical detail to slow exploit development. Our illustrative mechanisms for both bugs are reconstructions from the public advisories, not the precise vulnerable code.
  • Cloud-managed exposure. For customers on SAP-managed Commerce Cloud environments, some patching may be handled by SAP; self-managed and on-premises deployments carry the full remediation burden. Confirm which model applies to you before assuming you are covered.

References

Internal reading:

saps4hanasap-commerce-cloudcve-2026-34260cve-2026-34263sql-injectionremote-code-executionerp-security
Back to all articles

More on #sap

View all
Vulnerability Analysis

SAP NetWeaver CVE-2025-31324: Unrestricted File Upload Zero-Day

5 min read

Related articles in Vulnerability Analysis

Vulnerability Analysis

Palo Alto PAN-OS CVE-2026-0265: CAS Signature-Verification Auth Bypass (May 2026)

Palo Alto disclosed CVE-2026-0265 on May 13, 2026, a cryptographic-signature-verification flaw in Cloud Authentication Service that bypasses PAN-OS authentication. Researchers claim live GlobalProtect portal bypasses. Full analysis.

May 15, 2026Read
Vulnerability Analysis

CVE-2026-41089: The Unauthenticated Netlogon RCE That Owns Your Domain Controller

CVE-2026-41089 is a CVSS 9.8 unauthenticated remote code execution flaw in Windows Netlogon: an integer overflow in MS-NRPC handshake parsing leads to a stack overflow on domain controllers, with no credentials or user interaction required.

May 14, 2026Read
Vulnerability Analysis

Ivanti EPMM CVE-2026-6973: Authenticated RCE on CISA KEV in May 2026

Ivanti disclosed CVE-2026-6973 on May 7, 2026, an improper-input-validation RCE in Endpoint Manager Mobile already seeing limited exploitation. CISA gave federal agencies a three-day patch deadline.

May 8, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.