Understanding SAP's Critical SQL Injection Vulnerability
SAP released 19 new security notes on its April 2026 Security Patch Day on Tuesday, headlined by a critical SQL injection vulnerability carrying a near-maximum severity score of 9.9 out of 10 that affects its Business Planning and Consolidation and Business Warehouse products.
Critical SQL Injection Threatens Core Business Systems
The most severe issue, tracked as CVE-2026-27681, allows an authenticated user with low privileges to execute crafted SQL statements that can read, modify, and delete backend database data, according to SAP's advisory. The flaw stems from insufficient authorization checks and carries a CVSS v3.1 score of 9.9, with high impact across confidentiality, integrity, and availability. Affected versions span multiple releases of SAP Business Warehouse and BPC for HANA.
A second high-priority note addresses CVE-2026-34256, a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise) with a CVSS score of 7.1. According to the National Vulnerability Database, an authenticated attacker could exploit this flaw to overwrite existing ABAP reports without authorization, potentially rendering intended functionality unavailable.
Broader Fixes Span DoS, Code Injection, and XSS
Beyond the top-severity items, the April batch includes patches for a denial-of-service vulnerability in SAP BusinessObjects Business Intelligence Platform (CVE-2025-64775, CVSS 6.5), a code injection flaw in SAP NetWeaver Application Server Java's Web Dynpro component (CVE-2026-27674, CVSS 6.1), and a code injection issue in SAP Landscape Transformation (CVE-2026-27675). Multiple medium-severity notes address missing authorization checks across S/4HANA OData services, cross-site scripting in SAP Supplier Relationship Management, and an information disclosure vulnerability in SAP HANA Cockpit. One update to a previously released security note from November 2025 was also included.
Patching Urgency Amid Persistent Enterprise Threats
The release continues a pattern of monthly high-severity disclosures from SAP, which issued patches for critical vulnerabilities in each of its 2026 Patch Days so far — four critical flaws in January, three HotNews notes in February, and two critical issues in March. SAP's support portal urges customers to "apply patches on priority to protect their SAP landscape". System administrators running affected versions of Business Warehouse, S/4HANA, NetWeaver, and BusinessObjects should assess exposure and schedule remediation promptly.
