Full Report
SAP security advisory – April 2026 monthly rollup (AV26-349)
Analysis Summary
# Vulnerability: SAP Security Advisory – April 2026 Monthly Rollup
## CVE Details
*Note: The source document provides a summary of affected products but does not list specific individual CVE identifiers or granular CVSS scores for each fix. Historically, SAP Monthly Rollups address high, medium, and low-risk vulnerabilities.*
- **CVE ID:** [Not explicitly listed in source]
- **CVSS Score:** [Not explicitly listed in source] (Varies by product)
- **CWE:** Included vulnerabilities typically encompass Cross-Site Scripting (XSS), Improper Access Control, and Information Disclosure.
## Affected Systems
- **SAP Business Planning & Consolidation / Business Warehouse:** HANABPC 810, BPC4HANA 300, SAP_BW 750–758, 816.
- **SAP ERP & S/4 HANA (Private Cloud & On-Premise):** SAP_FIN 618+; S4CORE 102–109; EA-APPL 600–606.
- **SAP BusinessObjects BI Platform:** ENTERPRISE 430, 2025, 2027.
- **SAP Human Capital Management (HCM):** S4HCMRXX 100–102, SAP_HRRXX 600–608.
- **SAP NetWeaver AS Java (Web Dynpro):** WD-RUNTIME 7.50.
- **SAP NetWeaver AS ABAP:** SAP_BASIS 700–816; SAP_UI 758, 816.
- **SAP HANA Cockpit / Database Explorer:** Version 2.0.
- **Other affected components:** SAP Supplier Relationship Management (SRM), SAP Landscape Transformation (DMIS), and various OData Services.
## Vulnerability Description
This rollup addresses multiple security flaws across SAP's product ecosystem. Based on the components listed (OData Services, SICF Handlers, and Web Dynpro), the vulnerabilities likely involve:
- **Insecure Communication/Service Handlers:** Flaws in how the SICF handler in SRM Catalog or OData services manage requests.
- **Logic Errors:** Issues in the Material Master Application and Journal Entry management that could lead to unauthorized data manipulation.
- **Infrastructure Vulnerabilities:** Updates to the underlying SAP_BASIS and SAP_UI layers affecting core system stability and security.
## Exploitation
- **Status:** Not explicitly stated as exploited; assumed "Not exploited" unless otherwise indicated by SAP.
- **Complexity:** Generally Low to Medium for web-based components.
- **Attack Vector:** Primarily Network (Remote).
## Impact
- **Confidentiality:** Potential for unauthorized data access across ERP and BI platforms.
- **Integrity:** Possible unauthorized modification of financial or technical object structures.
- **Availability:** Risk of service disruption in NetWeaver and HANA environments.
## Remediation
### Patches
SAP recommends applying the following updates via the SAP Support Portal:
- **SAP Business Warehouse:** Update to latest SP for versions 750 through 816.
- **S/4HANA:** Apply relevant S4CORE and SAP_FIN notes for version 109 and earlier.
- **BusinessObjects:** Upgrade to latest maintenance releases for 430, 2025, and 2027.
- **Landscape Transformation:** Update DMIS versions 2011_1 and 2020.
### Workarounds
- Specific workarounds are generally not provided in the rollup summary; SAP emphasizes the application of "Security Notes."
- Disable unused OData services (e.g., Manage Reference Equipment) if not required for business operations.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative activity in SAP HANA Cockpit or unexpected OData calls to S4CORE services.
- **Detection methods and tools:** Use the SAP EarlyWatch Check report and SAP Configuration Validation to identify systems missing these security notes.
## References
- SAP Security Patch Day - April 2026: hxxps[://]support[.]sap[.]com/en/my-support/knowledge-base/security-notes-news/april-2026[.]html
- Canadian Centre for Cyber Security Advisory (AV26-349): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/sap-security-advisory-monthly-rollup-april-2026-av26-349