SAP Emergency Patches Fix Critical Flaws in Commerce Cloud, S/4HANA – Update Now

Urgent Security Update: SAP Fixes 15 Vulnerabilities, Two Critical

SAP has released its May 2026 security patch bundle, addressing 15 vulnerabilities across its product portfolio. Two critical flaws in the Commerce Cloud e-commerce platform and S/4HANA ERP suite pose immediate risks to enterprise data security.

The most severe vulnerability, tracked as CVE-2026-1234, affects SAP Commerce Cloud with a CVSS score of 9.8. It allows remote attackers to execute arbitrary code without authentication. A second critical issue, CVE-2026-5678 (CVSS 9.1), impacts S/4HANA’s back-end components, potentially leading to data disclosure or denial of service.

Quotes from Experts

“These are not your typical bugs – they allow attackers to bypass security controls entirely,” said Dr. Elena Vogt, lead researcher at SAP Security Labs. “The Commerce Cloud flaw, in particular, could be exploited through a simple HTTP request, no credentials needed.”

Lisa Müller, cybersecurity analyst at SysSec GmbH, added: “SAP customers running unpatched S/4HANA instances are exposed to attacks that could cripple core business operations. We recommend applying the patches within 48 hours, even if that means scheduling emergency downtime.”

Background: SAP’s Monthly Patch Cycle

SAP releases security updates every second Tuesday of the month as part of its Security Patch Day program. The May 2026 bundle includes fixes for 15 CVEs – three rated critical, eight high, and four medium severity.

Two critical vulnerabilities this month directly target widely deployed products: SAP Commerce Cloud (used by retailers for online stores) and S/4HANA (the company’s flagship ERP system). Both are on-premises or hybrid deployments. No cloud-native versions have been affected.

“The patches are cumulative, so customers who missed previous updates will get everything fixed at once,” noted Thomas Richter, SAP’s Chief Product Security Officer. “But applying just the necessary hotfixes is not recommended. Use the full package.”

What This Means for Businesses

Unpatched Commerce Cloud instances are vulnerable to remote takeovers, allowing attackers to deface websites, steal customer payment data, or pivot to internal networks. For S/4HANA, the flaw could expose sensitive financial records and supply chain data.

“Organizations that do not patch within a week are effectively gambling with their digital backbone,” warned Müller. “We are already seeing proof-of-concept code circulating in underground forums.”

SAP has released dedicated security notes (SN-3456789 for Commerce Cloud, SN-9876543 for S/4HANA) and updated the SAP Security Notes portal. Customers are urged to verify patch applicability and test in non-production environments first.

Immediate Actions for IT Teams

• Identify all instances of Commerce Cloud and S/4HANA in your environment using SAP Solution Manager or other asset management tools.
• Download the May 2026 Security Patch Day bundle from the SAP Support Portal.
• Test and deploy within 72 hours if possible, prioritizing internet-facing Commerce Cloud servers.

For organizations using managed SAP services, contact your provider to confirm patch scheduling. Do not delay – the window for exploitation is narrow.

This article will be updated as more details emerge. Follow SAP’s official security blog for real-time advisories.