SAP has released its May 2026 Security Patch Day updates, addressing 15 vulnerabilities across a range of enterprise products. The release includes two critical-severity flaws affecting the Commerce Cloud e-commerce platform and the S/4HANA ERP suite — both widely deployed across global enterprises and government organizations.
The critical vulnerabilities could allow attackers to inject malicious code into affected systems, with potential consequences ranging from sensitive information disclosure to full remote code execution.
Critical Flaws Addressed
SAP's May patch bundle targets multiple product lines, but security teams should prioritize the two critical issues in Commerce Cloud and S/4HANA:
Commerce Cloud Critical Flaw
The critical vulnerability in SAP Commerce Cloud — SAP's enterprise-grade e-commerce platform used by major retailers and B2B organizations globally — allows for malicious code injection through insufficiently validated input. Successful exploitation could expose sensitive customer data, order history, and payment-adjacent information stored within the platform.
Commerce Cloud deployments that are internet-facing are at elevated risk. SAP customers running Commerce Cloud should treat this patch as urgent.
S/4HANA Critical Flaw
SAP S/4HANA, the company's flagship ERP suite underpinning financial operations, supply chains, and HR workflows at thousands of enterprises worldwide, is affected by a separate critical vulnerability that similarly permits code injection. Given S/4HANA's position at the core of enterprise operations, exploitation could cascade into significant business disruption and financial data exposure.
Full Patch Day Scope
The May 2026 Security Patch Day encompasses 15 CVEs across SAP's product portfolio:
| Severity | Count | Affected Areas |
|---|---|---|
| Critical | 2 | Commerce Cloud, S/4HANA |
| High | ~5 | Multiple SAP products |
| Medium | ~6 | Various components |
| Low/Info | ~2 | Documentation and tooling |
Beyond the two critical flaws, the update addresses high and medium severity issues across other SAP products including NetWeaver, BusinessObjects, and peripheral integrations.
Why This Matters
SAP products represent some of the most valuable targets in the enterprise attack surface. The company's software handles:
- Financial records and ERP data for more than 400,000 customers globally
- Supply chain operations for a significant portion of global trade
- HR and payroll data for millions of employees
- Customer and order data in Commerce Cloud deployments
Threat actors — including ransomware groups and nation-state actors — actively target SAP vulnerabilities. CISA and security researchers have previously documented exploitation of unpatched SAP systems in the wild, and critical-severity SAP flaws are frequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog within weeks of disclosure.
Recommended Actions
SAP customers should take the following steps immediately:
- Apply the May 2026 Security Patch Day updates — prioritize Commerce Cloud and S/4HANA patches first
- Check SAP ONE Support Launchpad for the full list of SAP Security Notes and apply all available corrections
- Review internet-facing SAP systems — particularly Commerce Cloud deployments accessible externally
- Enable SAP's Enterprise Threat Detection or equivalent logging to identify any exploitation attempts
- Run SAP's Configuration Validation tool to check for unauthorized changes post-patch
# Verify installed SAP patch level via SAP kernel release info (example for ABAP systems)
# Run in SAP system: SM59 or via ABAP report
# Check transaction SPAM for open correction instructions
# Verify SAPehrscan for open security notes- Engage SAP Basis and security teams to coordinate emergency patching windows if standard maintenance cycles extend beyond 72 hours
Historical Context
SAP's monthly Security Patch Days frequently include critical-severity items. In prior months:
- March 2026: SAP NetWeaver critical auth bypass (CVSS 9.1) exploited within days of disclosure
- February 2026: Multiple high-severity NetWeaver and BusinessObjects flaws addressed
- 2025: SAP vulnerabilities contributed to several high-profile enterprise breaches involving data exfiltration from ERP systems
The pattern underscores that SAP patching should be treated with the same urgency as Microsoft Patch Tuesday — critical SAP flaws are weaponized rapidly.