SAP Commerce Cloud & NetWeaver: Several Critical Security Vulnerabilities (CVE-2026-44761, CVE-2026-44747, CVE-2026-27690)


This text was generated using artificial intelligence (AI).Update July 14, 2026: In addition, CVE-2026-44747 and CVE-2026-27690 (CVSS 9.9) have been disclosed. CVE-2026-44747 affects SAP NetWeaver Application Server ABAP in numerous kernel versions and allows privileged attackers to execute arbitrary code, with a high impact on confidentiality, integrity, and availability. CVE-2026-27690 affects SAP Approuter (Node.js) in versions prior to 20.10.0 and can be resolved by updating to version 20.10.0 or higher. See below for details.

On July 8, 2026, as part of its regular Security Patch Day, SAP disclosed a critical vulnerability in SAP Commerce Cloud under the identifier CVE-2026-44761 with a CVSS score of 9.1 (According to SAP Security Note 3753495; SAP customer account required). The cause is a configuration error: A sample OAuth2 client provided with the software, whose credentials are publicly documented in the SAP help documentation, can remain active in production environments. An attacker can use these known credentials without prior authentication to access APIs and read or manipulate data.

Are my systems affected? Check now →