SAP NetWeaver CVE-2026-44748: SAML Bypass Patch
SAP's June 2026 Patch Day fixes a 9.9-rated SAML signature-wrapping flaw plus an unauthenticated memory-corruption RCE. Here is what to patch first.

SAP's June 2026 Security Patch Day addressed 15 vulnerabilities, and four of them are critical-severity flaws hitting SAP NetWeaver and SAP Commerce Cloud. The headliner is CVE-2026-44748, a CVSS 9.9 XML Signature Wrapping flaw in SAML authentication that can let an attacker forge an identity and walk past access controls.
Quick answer
CVE-2026-44748 (CVSS 9.9) is an XML Signature Wrapping flaw in SAP NetWeaver's SAML authentication: a low-privilege authenticated attacker can tamper with a signed message and have the verifier accept a forged identity. SAP's June 2026 Patch Day fixes it along with three other critical flaws, including an unauthenticated, automatable memory-corruption RCE (CVE-2026-27671, CVSS 9.8). Patch internet-facing and business-critical NetWeaver and Commerce Cloud systems first, and restrict network exposure while you stage the SAP Notes.
Key takeaways
- CVE-2026-44748 (CVSS 9.9) is an XML Signature Wrapping flaw in SAML authentication. An authenticated low-privilege attacker can tamper with a signed message and have the verifier accept a forged identity.
- CVE-2026-27671 (CVSS 9.8) is an unauthenticated memory-corruption bug in RFC protocol handling that CISA's automated assessment flagged as exploitable at scale.
- CVE-2026-40128 (CVSS 9.0) is an unauthenticated directory-traversal flaw allowing access to files outside the intended directory.
- SAP NetWeaver has been a repeated, high-value exploitation target, so apply the June patches without delay.
- Restrict network exposure of NetWeaver and Commerce Cloud interfaces while you stage the updates.
The four critical flaws, ranked by urgency
Here is how the critical June 2026 fixes compare and which to deploy first:
| CVE | CVSS | Type | Auth needed | Priority |
|---|---|---|---|---|
| CVE-2026-27671 | 9.8 | RFC memory corruption RCE | None, automatable | First if internet-facing |
| CVE-2026-44748 | 9.9 | SAML signature wrapping | Low-privilege user | High |
| CVE-2026-40128 | 9.0 | Directory traversal | None | High |
| Fourth critical fix | Critical | NetWeaver / Commerce | Varies | Apply with the set |
The SAML flaw in plain terms
SAML is the standard that lets you sign in once and have a signed assertion vouch for your identity to other systems. XML Signature Wrapping abuses how some implementations validate that signature. The attacker takes a legitimately signed message, then wraps or relocates XML elements so the part the verifier checks is still valid, while the part the system uses contains tampered identity data.
In the case of CVE-2026-44748, an authenticated user with normal privileges can obtain a valid signed message and submit a modified version with altered identity information that the verifier accepts. That can grant access to sensitive user data and disrupt normal operation.
The two unauthenticated flaws are arguably scarier
While the SAML flaw needs an authenticated foothold, two of the other critical fixes do not:
- CVE-2026-27671 stems from improper validation in the RFC protocol. An unauthenticated attacker can send crafted requests that trigger logic errors in memory management. No authentication, no user interaction, and CISA's ADP assessment flagged it as automatable.
- CVE-2026-40128 lets an unauthenticated attacker craft a malicious HTTP logon request that manipulates file-inclusion parameters, using path-traversal sequences to read or modify files outside the intended directory.
Note
Unauthenticated plus automatable is the worst combination for a perimeter-reachable system. If your NetWeaver instance is internet-exposed, treat CVE-2026-27671 as your first priority.
What to do now
-
Inventory your SAP estate. Identify every NetWeaver and Commerce Cloud instance, including the version, patch level, and whether SAML authentication and RFC interfaces are enabled.
-
Apply the June 2026 SAP Security Patch Day notes. Map each critical CVE to the relevant SAP Note and schedule deployment, prioritizing internet-facing and business-critical systems.
-
Reduce exposure while you stage. Limit network access to NetWeaver and Commerce interfaces to known management networks, and place them behind a VPN or segmentation boundary rather than the open internet.
-
Review SAML configuration. Confirm signature validation is strict and that your identity provider relationships are correctly scoped.
-
Monitor for exploitation. Watch RFC and HTTP logs for malformed requests, unexpected file access, and authentication anomalies that could indicate signature-wrapping attempts.
How to verify the patch took effect
Applying a SAP Note is not the same as confirming it is live. After deployment, validate the fix rather than assuming the change window succeeded:
- Check the patch level in transaction SPAM/SAINT and confirm the relevant Support Package or Note shows as imported, not just queued.
- For the SAML fix, test an authentication flow end to end with strict signature validation enabled, and confirm a tampered assertion is rejected rather than silently accepted.
- For the RFC memory-corruption flaw, restrict the RFC gateway with
gw/reg_infoandgw/sec_infoaccess control lists so only trusted programs can register, which limits exposure even between patch cycles. - Re-run an external vulnerability scan against the NetWeaver host to confirm the directory-traversal and RFC endpoints no longer respond to the known proof-of-concept request shapes.
- Record the deployed Note numbers and dates in your change log so auditors and incident responders can confirm coverage later.
A patch that is imported but not activated, or activated on only part of a clustered landscape, leaves the same hole open. Treat verification as part of the job, not an afterthought.
Why SAP is such a prized target
SAP runs the financial and operational backbone of a huge share of large enterprises. A successful compromise can mean access to payroll, vendor payments, and the most sensitive corporate data in the building. That is exactly why both extortion crews and state actors keep returning to NetWeaver flaws. The same pattern of attackers racing to weaponize freshly disclosed enterprise bugs shows up across the industry, from the Oracle E-Business Suite Clop extortion campaign to VMware vCenter and ESXi exploitation.
For SAP teams, the durable lesson is to shrink the patch-to-deploy window for critical CVEs and to keep these systems off the open internet. Pair that discipline with the kind of ransomware-proof backup strategy that lets you recover even if an attacker reaches the core.
Frequently asked questions
Is CVE-2026-44748 being exploited in the wild yet?
As of the June 2026 disclosure, SAP and trackers describe it as critical but had not confirmed widespread in-the-wild exploitation. Given SAP's history, weaponization tends to follow disclosure quickly, so do not wait for confirmed attacks to patch.
We use SAP Commerce Cloud as SaaS. Are we affected?
Cloud-hosted offerings are typically patched by SAP, but you should confirm your specific tenant and any on-premise or hybrid components. The critical flaws span both NetWeaver and Commerce, so verify rather than assume.
Can we mitigate without patching immediately?
You can reduce risk by restricting network access, hardening SAML validation, and disabling unused RFC interfaces, but those are stopgaps. The SAP Notes are the real fix and should be deployed as fast as your change process allows.
How do we detect signature-wrapping attempts?
Look for SAML assertions with unusual structure, repeated authentication from a single user with shifting privileges, and access to data inconsistent with the logged-in identity. Centralized logging of authentication and authorization events is what makes this visible.


