PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44744 SAP_SE CVE debrief

A SQL injection vulnerability was discovered in SAP S/4HANA (On-Premise) in a remote-enabled function module component. This flaw could be exploited by an authenticated attacker to potentially execute unauthorized database queries, exposing sensitive information to which they should not otherwise have access. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application. The CVSS score for this vulnerability is 6.5, with a severity rating of MEDIUM.

Vendor
SAP_SE
Product
SAP S/4HANA
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Administrators and security teams responsible for SAP S/4HANA (On-Premise) systems should be aware of this vulnerability and take necessary actions to mitigate the risk.

Technical summary

The vulnerability exists in a remote-enabled function module component of SAP S/4HANA (On-Premise) and is caused by a lack of proper input validation, allowing for SQL injection attacks. An authenticated attacker could exploit this vulnerability to execute unauthorized database queries, potentially leading to data exposure.

Defensive priority

MEDIUM

Recommended defensive actions

  • Apply the necessary patches and updates provided by SAP to fix the vulnerability.
  • Restrict access to the affected component and ensure that only authorized personnel have access to it.
  • Monitor system logs and network traffic for suspicious activity.
  • Implement additional security measures, such as input validation and sanitization, to prevent similar attacks in the future.

Evidence notes

The CVE record for CVE-2026-44744 was published on June 9, 2026, and was last modified on June 9, 2026. The vulnerability was reported by SAP and is tracked under the references [ref-4](https://me.sap.com/notes/3751691) and [ref-5](https://url.sap/sapsecuritypatchday).

Official resources

CVE-2026-44744 was published on 2026-06-09T01:16:46.333Z and last modified on 2026-06-09T02:08:28.150Z.