Full Report
SAP security advisory – May 2026 monthly rollup (AV26-447)
Analysis Summary
# Vulnerability: SAP Security Advisory – May 2026 Monthly Rollup
## CVE Details
*Note: Specific CVE IDs for the May 2026 rollup have not been individually detailed in the summary provided by the Canadian Centre for Cyber Security. Users must refer to the SAP Support Portal for individual CVE mappings.*
- **CVE ID:** Multiple (Rollup Advisory)
- **CVSS Score:** Varies (Up to High/Critical based on product impact)
- **CWE:** Varies (Includes potential Log4j vulnerabilities and Business Server Pages flaws)
## Affected Systems
- **SAP S/4HANA (Enterprise Search/Condition Maintenance/Incentive & Commission):** SAP_BASIS 751–816; S4CORE 102–109.
- **SAP NetWeaver AS for ABAP & ABAP Platform:** SAP_BASIS 700–816, 918.
- **SAP Commerce Cloud:** HY_COM 2205; COM_CLOUD 2211 (including JDK21 variants).
- **SAP BusinessObjects BI Platform:** versions 430, 2025, and 2027.
- **SAP UI5 (Search UI):** versions 1.71, 1.84, 1.96, 1.108, 1.120, 1.136, 1.142.
- **SAP Forecasting and Replenishment:** SCM 702, 712, 713, 714.
- **SAP Financial Consolidation:** FINANCE 1010.
- **SAP HANA Deployment Infrastructure (HDI):** XS_HDI_DEPLOYER 1.00.
- **Other affected components:** SAP Strategic Enterprise Management (SEM-BW), Business Server Pages (ST-PI).
## Vulnerability Description
This rollup addresses a variety of security flaws across the SAP ecosystem. Key areas of concern include:
1. **Component Dependencies:** An update to **Apache Log4j** in SAP Commerce Cloud suggests remediation for potential remote code execution or denial of service within the logging framework.
2. **Web Frameworks:** Multiple vulnerabilities in **Business Server Pages (BSP)** and **SAPUI5** applications which often involve Cross-Site Scripting (XSS) or Improper Authentication.
3. **Core Infrastructure:** Fixes for the **ABAP Platform** and **HANA Deployment Infrastructure** address underlying system-level vulnerabilities that could permit unauthorized access or data manipulation.
## Exploitation
- **Status:** No reports of active exploitation in the wild at the time of publication.
- **Complexity:** Varies (Typically Low to Medium for web-based SAP components).
- **Attack Vector:** Network (Most SAP security notes in monthly rollups are remotely exploitable via HTTP/HTTPS).
## Impact
- **Confidentiality:** High (Potential unauthorized access to business data).
- **Integrity:** High (Potential for unauthorized modification of financial or enterprise records).
- **Availability:** Medium to High (Potential service disruption depending on the specific component).
## Remediation
### Patches
SAP recommends applying the following Security Notes via the SAP Support Portal:
- **SAP Commerce Cloud:** Upgrade to latest patched versions of 2205 or 2211.
- **SAP NetWeaver/S4HANA:** Apply the relevant Support Package (SP) or Kernel update for your specific SAP_BASIS or S4CORE level.
- **SAPUI5:** Update to the latest patch level for your specific minor version (e.g., 1.142.x).
### Workarounds
- Disable unused Business Server Pages (BSP) applications via transaction `SICF`.
- Limit network access to SAP HANA Deployment Infrastructure ports.
- Implement strict ingress filtering on the SAP Web Dispatcher.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative activity in SAP NetWeaver logs or unexpected outbound connections from SAP Commerce Cloud servers (Log4j-related).
- **Detection Methods:** Utilize **SAP Early Watch Alert** reports and the **SAP Configuration Validation** tool to identify systems missing the May 2026 security notes.
## References
- SAP Security Patch Day – May 2026: [https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html](https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html)
- Canadian Centre for Cyber Security (AV26-447): [https://www.cyber.gc.ca/en/alerts-advisories/sap-security-advisory-may-2026-monthly-rollup-av26-447](https://www.cyber.gc.ca/en/alerts-advisories/sap-security-advisory-may-2026-monthly-rollup-av26-447)