SAP Commerce Cloud & NetWeaver: Several Critical Security Vulnerabilities (CVE-2026-44761, CVE-2026-44747, CVE-2026-27690)
This text was generated using artificial intelligence (AI).Update July 14, 2026: In addition, CVE-2026-44747 and CVE-2026-27690 (CVSS 9.9) have been disclosed. CVE-2026-44747 affects SAP NetWeaver Application Server ABAP in numerous kernel versions and allows privileged attackers to execute arbitrary code, with a high impact on confidentiality, integrity, and availability. CVE-2026-27690 affects SAP Approuter (Node.js) in versions prior to 20.10.0 and can be resolved by updating to version 20.10.0 or higher. See below for details.
On July 8, 2026, as part of its regular Security Patch Day, SAP disclosed a critical vulnerability in SAP Commerce Cloud under the identifier CVE-2026-44761 with a CVSS score of 9.1 (According to SAP Security Note 3753495; SAP customer account required). The cause is a configuration error: A sample OAuth2 client provided with the software, whose credentials are publicly documented in the SAP help documentation, can remain active in production environments. An attacker can use these known credentials without prior authentication to access APIs and read or manipulate data.
Type of attack: CVE-2026-44761: Use of publicly known default credentials; CVE-2026-44747 and CVE-2026-27690: Privileged attacks with high potential for damage
Patch Status: CVE-2026-27690: Patch available (SAP Approuter >= 20.10.0); CVE-2026-44761 and CVE-2026-44747: Configuration measures or patches as described in the SAP Security Notes
Technical Analysis of Vulnerability CVE-2026-44761
The vulnerability CVE-2026-44761 does not result from a flaw in the program code, but rather from an insecure default configuration. SAP provides sample configurations for development and testing purposes. If these configurations for an OAuth2 client are transferred unchanged to a production environment, a significant security risk arises. An external attacker can use the documented credentials to obtain a valid access token and thus access the API of the SAP Commerce Cloud instance.
The CVSS score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N accurately describes the danger:
Attack Vector: Network (AV:N): The attack can originate from the Internet.
Attack Complexity: Low (AC:L): No complex preparations are necessary.
Privileges Required: None (PR:N): The attacker does not need any login credentials or permissions.
User Interaction: None (UI:N): No user interaction is required.
Impact: The impact on the Confidentiality (C:H) and Integrity (I:H) The data is classified as high-risk. Availability (A:N) is not directly affected.
Technical Analysis of Vulnerabilities CVE-2026-44747 and CVE-2026-27690
CVE-2026-44747 refers to the SAP NetWeaver ABAP Application Server in a variety of kernel versions (KRNL64NUC 7.22/7.22EXT, KRNL64UC 7.22/7.22EXT, KERNEL 7.22/7.53/7.54/7.77/7.89/7.93/9.16/9.18/9.19/9.20). With a CVSS score of 9.9 (critical) and the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H This is a particularly severe vulnerability. An attacker with low privileges (PR:L) can launch an attack over the network (AV:N) with low complexity (AC:L) and without user interaction (UI:N), extending beyond the boundaries of the original security domain (S:C). The impact on confidentiality, integrity, and availability is high in each case (C:H/I:H/A:H). This indicates that a successful attack could grant complete control over affected systems.
CVE-2026-27690 concerns SAP Approuter (Node.js) in versions prior to 20.10.0. Here, too, the CVSS score is 9.9 (Critical) with an identical vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. SAP Approuter is a central component for routing and authentication in SAP cloud environments. A vulnerability in this component can have far-reaching consequences for the security of the entire application landscape. A patch is available for CVE-2026-27690: Operators should SAP Approuter Version 20.10.0 or later Update.
Risk to Business Operations
A successful attack exploiting one of these vulnerabilities could have far-reaching consequences, as SAP Commerce Cloud and SAP NetWeaver often process business-critical data.
At CVE-2026-44761 Attackers could extract sensitive customer data, manipulate product information and prices, or alter order data. This results in direct financial losses, damage to the company’s reputation, and potential violations of data protection laws such as the GDPR. Since access is gained using seemingly legitimate—albeit standardized—login credentials, such an incident can go undetected for a long time.
CVE-2026-44747 and CVE-2026-27690 potentially allow privileged attackers to gain complete control over affected systems, significantly impacting confidentiality, integrity, and availability. This can lead to data theft, manipulation of business processes, system failures, and significant operational disruptions. The fact that these vulnerabilities extend beyond security boundaries (scope changed) exacerbates the risk to the entire IT infrastructure.
These cases underscore the importance of rigorous configuration management and timely patch management during the deployment and operation of enterprise software. Sample configurations must never be used in production systems without modification, and security updates must be applied promptly.
This is particularly relevant for companies in Germany, Austria, and Switzerland: If such access results in the compromise of personal data belonging to EU citizens, Article 33 of the GDPR requires that the company notify the competent supervisory authority within 72 hours. In addition, operators of SAP Commerce Cloud and SAP NetWeaver that are classified as critical or highly critical infrastructure under the NIS 2 Directive may be subject to additional reporting and security obligations. The BSI generally recommends promptly implementing security advisories from vendors such as SAP.
Recommendations for Operators
SAP has released the relevant security notes as part of its regular Security Patch Day. System administrators should review the specific instructions via their SAP customer account. The following steps should be taken immediately:
For CVE-2026-44761 (SAP Commerce Cloud OAuth2 configuration):
Inventory and Inspection: Identify all instances of SAP Commerce Cloud. Check the configuration of each system to verify that the OAuth2 sample client is active and using the publicly documented credentials.
Immediate correction: Disable or remove the affected client immediately. Replace it with a configuration that uses secure, individually generated credentials.
Implementation of the SAP note: Implement the configuration steps from the SAP Security Note 3753495 in accordance with the manufacturer's instructions. Access to the note requires an SAP customer account.
For CVE-2026-44747 (SAP NetWeaver Application Server ABAP):
Identify affected systems: Identify all SAP NetWeaver ABAP instances and their kernel versions. Check whether any of the affected versions (KRNL64NUC 7.22/7.22EXT, KRNL64UC 7.22/7.22EXT, KERNEL 7.22/7.53/7.54/7.77/7.89/7.93/9.16/9.18/9.19/9.20) is in use.
Consult the SAP Security Note: Access the relevant SAP Security Note via the SAP Support Portal and follow the instructions provided there to resolve the vulnerability.
Apply patches promptly: Plan and implement the provided patches or workarounds in accordance with SAP's recommendations and your change management processes.
For CVE-2026-27690 (SAP Approuter Node.js):
Check versions: Identify all instances of SAP Approuter (Node.js) and check whether a version earlier than 20.10.0 is in use.
Perform update: Update SAP Approuter to Version 20.10.0 or later. Test the update in a test environment before rolling it out to production.
Check the documentation: Please refer to the official SAP documentation and the relevant security note for further details and possible configuration adjustments.
General Recommendations:
Monitoring and Logging: Enhance the monitoring of your SAP systems to detect suspicious activity early on. Check logs for unusual API access or authentication attempts.
Regular security reviews: Perform regular security audits of your SAP landscape to identify configuration errors and outdated components.
Patch Management Process: Establish a structured process for promptly installing security updates.
External Visibility as the Foundation of Risk Management
Vulnerabilities such as CVE-2026-44761, CVE-2026-44747, and CVE-2026-27690 highlight the challenge of maintaining an overview of all externally accessible systems and their configurations. Such systems are often set up as part of projects and later fall out of the security department’s sight as „shadow IT“—whether because they were provisioned in cloud environments, forgotten after a project’s completion, or simply not recorded in the asset inventory.
An External Attack Surface Management (EASM) platform such as LocateRisk addresses this problem by continuously identifying all IT assets associated with your company. This also includes instances of SAP Commerce Cloud, SAP NetWeaver, and SAP Approuter running under your domains. This visibility enables security teams to specifically check for potentially vulnerable systems and to identify whether insecure default configurations or outdated versions are in use—even in cases where a complete asset inventory is not maintained. This significantly reduces the time between when a security vulnerability arises and when it is discovered.
In addition, Continuous Vendor Risk Management (C-VRM) helps assess the security of key vendors such as SAP and proactively manage risks in the supply chain. As a German solution hosted in ISO 27001-certified data centers in Germany, LocateRisk supports compliance with the GDPR and helps minimize risks associated with the U.S. Cloud Act.
CVE-2026-44761 is a vulnerability in SAP Commerce Cloud caused by an insecure default configuration: An OAuth2 sample client with publicly documented credentials can remain active in production environments without being modified. According to SAP Security Note 3753495, an unauthenticated attacker can use these known credentials to obtain a valid access token and call certain APIs—with a high impact on data confidentiality and integrity (CVSS 9.1).
According to the information in SAP Security Note 3753495, the versions are COM_CLOUD 2211, COM_CLOUD 2211-JDK21 as well as HY_COM 2205 Affected by CVE-2026-44761. Operators of other versions should nevertheless check whether corresponding sample OAuth2 configurations are active in their systems.
CVE-2026-44747 affects SAP NetWeaver Application Server ABAP in numerous kernel versions (7.22 through 9.20) and allows privileged attackers to execute arbitrary code, with a high impact on confidentiality, integrity, and availability (CVSS 9.9). CVE-2026-27690 affects SAP Approuter (Node.js) in versions prior to 20.10.0 with an identical CVSS score and attack vector. A patch is available for CVE-2026-27690 (update to version 20.10.0 or higher).
For CVE-2026-44761 SAP Security Note 3753495 describes a configuration measure: Administrators should deactivate or remove the affected OAuth2 sample client and replace it with a configuration that uses securely generated, unique credentials. For CVE-2026-44747 Operators should consult the relevant SAP Security Note and implement the patches or workarounds described there. For CVE-2026-27690 You must update to SAP Approuter version 20.10.0 or later. Complete instructions are available through an SAP customer account.
At this time, there is no information indicating that CVE-2026-44761, CVE-2026-44747, or CVE-2026-27690 are being actively exploited. Nevertheless, given the high CVSS scores and the potentially far-reaching consequences, operators should implement the recommended measures immediately.
CVE Quick Check
In just a few minutes, check whether there are any indications of a current CVE on your externally visible attack surface.
A rough estimate in just a few minutes via email.
Learn more during a free consultation with a LocateRisk consultant.
You'll receive this by email
companyYour Company, LLC
Verified CVECVE-2024-3094
Passive Assessment
Information About the CVENotes found
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.