SAP has released 17 new security notes as part of its January 2026 Security Patch Day, with four addressing critical-severity vulnerabilities including a severe SQL injection flaw.
Critical Vulnerabilities
CVE-2026-0501 - SQL Injection in S/4HANA
CVSS Score: 9.9 (Critical)
The most severe vulnerability is a SQL injection bug in S/4HANA that could allow attackers to:
- Execute arbitrary SQL commands
- Access or modify sensitive business data
- Potentially achieve remote code execution
- Compromise database integrity
S/4HANA is SAP’s flagship ERP platform used by thousands of enterprises worldwide for core business processes.
Impact Assessment
SQL injection in ERP systems is particularly dangerous because:
- Financial data exposure: Transaction records, pricing, accounts payable/receivable
- Supply chain disruption: Inventory, procurement, logistics data
- HR data breach: Employee records, payroll information
- Regulatory implications: SOX, GDPR, industry-specific compliance
Additional Critical Patches
Three other critical vulnerabilities were addressed:
- Authentication bypass in SAP BusinessObjects
- Remote code execution in SAP NetWeaver
- Privilege escalation in SAP Solution Manager
Patch Recommendations
- Prioritize S/4HANA systems due to SQL injection severity
- Test in sandbox before production deployment
- Review database logs for exploitation indicators
- Implement WAF rules as interim mitigation if patching delayed
- Verify patch installation through SAP Note validation
SAP Security Best Practices
- Subscribe to SAP Security Notes notifications
- Establish monthly patch review cycles aligned with Patch Day
- Maintain current support pack levels
- Implement SAP’s security baseline recommendations
- Consider SAP Enterprise Threat Detection for monitoring