SAP released 17 new Security Notes as part of its January 2026 Security Patch Day (plus 2 updates), addressing 19 vulnerabilities including four critical-severity flaws. The most severe—CVE-2026-0501—is a SQL injection in S/4HANA’s General Ledger module with a CVSS score of 9.9.
Patch overview
| Metric | Count |
|---|
| New Security Notes | 17 |
| Updated Security Notes | 2 |
| Total vulnerabilities | 19 |
| HotNews (Critical) Notes | 6 |
| High Priority Notes | 4 |
Critical vulnerabilities
| CVE | CVSS | Product | Type | SAP Note |
|---|
| CVE-2026-0501 | 9.9 | S/4HANA (General Ledger) | SQL Injection | 3687749 |
| CVE-2026-0500 | 9.6 | Wily Introscope Enterprise Manager | Remote Code Execution | — |
| CVE-2026-0498 | 9.1 | S/4HANA | Code Injection → OS Command Injection | 3694242 |
| CVE-2026-0491 | 9.1 | Landscape Transformation | Code Injection | 3697979 |
| CVE-2026-0492 | 8.8 | SAP HANA Database | Privilege Escalation | — |
CVE-2026-0501: SQL injection in S/4HANA
Severity: CVSS 9.9 (Critical)
SAP Note: 3687749
Technical details
The vulnerability exists in SAP S/4HANA’s Financials General Ledger component:
| Attribute | Details |
|---|
| Component | Financials – General Ledger |
| Interface | Remote Function Call (RFC)-enabled module |
| Framework | ABAP Database Connectivity (ADBC) |
| Root cause | Inadequate input validation on SQL parameters |
| Attack type | Arbitrary SQL command execution |
Vulnerability mechanism
| Step | Action |
|---|
| 1 | Attacker identifies RFC-enabled function module |
| 2 | Crafted SQL statement passed via input parameter |
| 3 | ADBC framework executes native SQL without validation |
| 4 | Arbitrary SQL commands execute against database |
| 5 | Full system compromise achieved |
“This SQL statement is provided through an input parameter and allows an attacker to execute arbitrary SQL commands. On successful exploitation, the system can be fully compromised.”
Affected versions
| Product | Affected Versions | Environment |
|---|
| S4CORE | 102 through 109 | Private Cloud |
| S4CORE | 102 through 109 | On-Premise |
Exploitation requirements
| Requirement | Details |
|---|
| Authentication | Required (low-privilege sufficient) |
| Network access | RFC-enabled module reachable |
| User interaction | None required |
| Privileges | Low (S_RFC authorization) |
Critical prerequisite
SAP notes a critical configuration factor: the vulnerability becomes exploitable when S_RFC authorizations are configured too broadly, allowing external RFC calls to the affected function group.
Attack scenario
| Phase | Action |
|---|
| 1 | Attacker compromises technical RFC user |
| 2 | Uses RFC tooling to call vulnerable function |
| 3 | Passes crafted SQL parameters |
| 4 | Arbitrary SQL executes on database |
| 5 | Data theft, modification, or destruction |
Why ERP SQL injection is critical
SQL injection in enterprise ERP systems has severe business impact:
| Risk Area | Exposure |
|---|
| Financial data | Transaction records, pricing, AP/AR, general ledger |
| Supply chain | Inventory, procurement, logistics |
| HR data | Employee records, payroll, benefits |
| Customer data | Master data, orders, contracts |
| Regulatory | SOX, GDPR, industry-specific compliance |
General Ledger significance
The General Ledger module is the foundation of financial record-keeping in S/4HANA:
| Function | Risk if compromised |
|---|
| Financial statements | Fraudulent reporting |
| Audit trail | Evidence tampering |
| Compliance records | Regulatory violations |
| Tax records | Tax fraud liability |
| Intercompany transactions | Hidden transfers |
S/4HANA is SAP’s flagship ERP platform used by thousands of enterprises for core business processes. Compromise of the General Ledger module represents existential business risk.
Other critical patches
CVE-2026-0500: Wily Introscope RCE (CVSS 9.6)
| Attribute | Details |
|---|
| Product | Wily Introscope Enterprise Manager |
| Type | Remote Code Execution |
| Authentication | Not required |
| Impact | Full monitoring infrastructure compromise |
Remote code execution in SAP’s application performance monitoring tool. Allows unauthenticated attackers to execute commands on the monitoring infrastructure.
CVE-2026-0498: S/4HANA Code Injection (CVSS 9.1)
| Attribute | Details |
|---|
| Product | S/4HANA |
| Type | Code Injection → OS Command Injection |
| SAP Note | 3694242 |
| Impact | System command execution |
RFC-based code injection leading to OS command injection. Enables attackers to execute system commands on the application server.
| Attribute | Details |
|---|
| Product | Landscape Transformation |
| Type | Code Injection |
| SAP Note | 3697979 |
| Impact | Migration tooling compromise |
Code injection vulnerability in SAP’s system migration and transformation tooling.
CVE-2026-0492: HANA Privilege Escalation (CVSS 8.8)
| Attribute | Details |
|---|
| Product | SAP HANA Database |
| Type | Privilege Escalation |
| Impact | Database integrity compromise |
Enables authenticated users to escalate privileges and compromise database integrity.
Patching guidance
Priority order
| Priority | SAP Note | CVE | Product |
|---|
| 1 (Emergency) | 3687749 | CVE-2026-0501 | S/4HANA Finance SQL injection |
| 2 | — | CVE-2026-0500 | Wily Introscope RCE |
| 3 | 3694242 | CVE-2026-0498 | S/4HANA RFC code injection |
| 4 | 3697979 | CVE-2026-0491 | Landscape Transformation |
| 5 | — | CVE-2026-0492 | HANA privilege escalation |
Implementation steps
| Step | Action |
|---|
| 1 | Download Security Notes from SAP Support Portal |
| 2 | Test patches in sandbox/QA environment |
| 3 | Review database logs for exploitation indicators |
| 4 | Deploy to production during maintenance window |
| 5 | Verify installation via SAP Note validation |
| 6 | Review S_RFC authorizations for overly broad access |
If patching must be delayed
| Mitigation | Purpose |
|---|
| WAF rules | Block suspicious SQL patterns |
| Network restrictions | Limit RFC module access |
| Enhanced logging | Detect exploitation attempts |
| S_RFC audit | Restrict external RFC permissions |
| SQL monitoring | Alert on anomalous queries |
Detection indicators
| Indicator | Meaning |
|---|
| Unusual SQL patterns in GL module | Potential exploitation |
| RFC calls from unexpected sources | Unauthorized access |
| Failed authentication spikes | Attack reconnaissance |
| Large data exports from finance | Data exfiltration |
| Anomalous GL transaction patterns | Post-exploitation activity |
Recommendations
For SAP administrators
| Priority | Action |
|---|
| Critical | Apply SAP Note 3687749 immediately (emergency patch) |
| Critical | Review and restrict S_RFC authorizations |
| High | Patch all critical-severity notes within 72 hours |
| High | Audit RFC-enabled function modules |
| Medium | Implement WAF rules as interim mitigation |
| Ongoing | Monitor for exploitation indicators |
For security teams
| Priority | Action |
|---|
| Critical | Validate patch deployment across SAP landscape |
| High | Review database logs for prior exploitation |
| High | Assess S_RFC authorization scope |
| Medium | Update detection rules for SQL injection patterns |
| Ongoing | Include SAP in vulnerability management program |
Ongoing SAP security
Recommended practices
| Practice | Benefit |
|---|
| Subscribe to Security Notes notifications | Early awareness |
| Monthly patch review cycles | Aligned with Patch Day |
| Current Support Pack levels | Reduced technical debt |
| SAP security baseline | Configuration hardening |
| SAP Enterprise Threat Detection | Continuous monitoring |
Context
SAP Security Patch Day occurs on the second Tuesday of each month. January 2026’s release is notable for the concentration of critical-severity vulnerabilities affecting core ERP functionality.
The new SAP Security year starts with six HotNews Notes—an unusually high number of critical issues for a single Patch Day. Organizations running S/4HANA should treat CVE-2026-0501 as an emergency patch—SQL injection with CVSS 9.9 in the General Ledger module represents maximum business risk.
The combination of financial system access, arbitrary SQL execution, and low privilege requirements makes this one of the most severe SAP vulnerabilities in recent memory.
