SAP Fixes Critical NetWeaver Bug That Lets Logged-In Users Corrupt Memory
The July 2026 patch batch closes CVE-2026-44747, a 9.9-rated flaw in the ABAP application server that could expose or alter company data.

Key points
- SAP released its July 2026 security updates fixing multiple flaws, including a critical bug in NetWeaver Application Server ABAP.
- The headline flaw, CVE-2026-44747, carries a severity score of 9.9 out of 10.
- The bug is an out-of-bounds write, a memory-handling mistake that a logged-in user can abuse to corrupt data inside the server.
- Successful exploitation could let an attacker read or change business data held in the SAP system.
- Administrators running NetWeaver ABAP should apply the July patch without waiting for the next maintenance window.
SAP has pushed out its July 2026 security fixes, and one bug stands well above the rest.
It sits in NetWeaver Application Server ABAP, the piece of software that runs a huge share of the world's finance, HR and supply-chain systems. If you have ever had a payslip, an invoice, or a shipping notice, there is a fair chance an SAP server touched it.
The flaw is tracked as CVE-2026-44747. SAP rates it 9.9 out of 10 on the standard severity scale, which is about as high as these ratings go without hitting the ceiling.
What does this bug actually let an attacker do?
It lets someone who already has a valid login break the server's memory in a controlled way, and from there read or change data they should not be able to touch.
The technical name is an out-of-bounds write. In plain terms: the software sets aside a small box in memory for a specific piece of data, and a logical mistake lets an attacker write outside that box, scribbling over memory that belongs to something else. Do that carefully enough and you can steer what the program does next.
SAP's own note, first reported by The Hacker News, says the bug comes from logical errors in how the ABAP server manages memory. An authenticated attacker, meaning one with working credentials, can trigger the corruption and then use it to expose or modify information held in the system.
That authenticated part matters. This is not a bug a random stranger on the internet can fire at your server from a coffee shop. But in the real world, credentials are cheap. They leak in phishing runs, sit in old password dumps, or belong to contractors who left two jobs ago. Treat any critical flaw that needs only a login as within reach of a determined attacker.
Who is affected?
Any organisation running NetWeaver Application Server ABAP that has not yet applied the July 2026 patch.
That covers a lot of ground. NetWeaver ABAP underpins SAP ERP, S/4HANA on-premises deployments, and a long list of other SAP business modules. If your IT team runs SAP in-house rather than purely in SAP's cloud, this almost certainly applies.
SAP delivered the fix through its regular monthly Security Patch Day. The company does not publish full technical details in public, because it would hand attackers a map. Patch notes are available to customers through the SAP Support Portal.
What should teams do now?
Apply the July 2026 SAP Security Notes, starting with the one covering CVE-2026-44747.
A few practical steps beyond the patch itself:
- Review who has interactive login rights on production ABAP systems, and pull access from anyone who does not need it this quarter.
- Check logs for unusual ABAP runtime errors or short dumps in the weeks before you patch, since a failed exploit often shows up as a crash before a successful one shows up as silence.
- Rotate credentials for any service accounts with broad SAP access, especially those shared between humans and scripts.
Regular users of SAP-powered systems, the staff filing expenses or approving purchase orders, do not need to do anything. This one is on the administrators.



