MEDIUM 6.5

CVE-2026-44744: SAP S/4HANA SQL Injection Vulnerability (CVSS 6.5)

SAP S/4HANA (On-Premise) contains a SQL injection flaw in a remote-enabled function module that allows authenticated users to craft malicious database queries. An attacker with valid credentials could bypass normal access controls and retrieve sensitive data they shouldn't see. The vulnerability does not affect system availability or data integrity—only confidentiality is at risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

SAP S/4HANA(On-Premise) contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access to. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This SQL injection vulnerability (CWE-89) exists in a remote-enabled function module within SAP S/4HANA On-Premise deployments. The flaw permits authenticated attackers to inject arbitrary SQL commands through inadequately sanitized input parameters. The remote-enabled nature of the affected module means the vulnerability is reachable over the network by any user with valid system credentials. The injection leads to unauthorized database query execution, enabling extraction of confidential information. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network-accessible attack surface with low complexity, authenticated access requirement, and high confidentiality impact.

Business impact

Data confidentiality is the primary concern. Authenticated insiders or accounts compromised through credential theft could extract sensitive business data—customer information, financial records, intellectual property, or strategic data stored in the S/4HANA database. While system availability and data integrity remain unaffected, unauthorized data exposure can trigger regulatory compliance violations (GDPR, HIPAA, industry-specific frameworks), damage customer trust, and create legal liability. Organizations with strict data segregation policies may face internal control failures if lower-privileged users exploit the flaw to access information outside their authorized scope.

Affected systems

SAP S/4HANA running On-Premise deployments are affected. Cloud deployments (SAP S/4HANA Cloud) are not impacted by this vulnerability. The vulnerability requires the attacker to be an authenticated user of the system; it cannot be exploited remotely without valid credentials. Organizations running S/4HANA On-Premise should verify their deployment scope and user access policies to identify exposed instances.

Exploitability

Exploitation requires valid S/4HANA credentials—the attacker cannot access the vulnerable function module anonymously. However, once authenticated, the attack is straightforward: the low attack complexity (AC:L) indicates minimal technical skill is needed to craft SQL injection payloads. The vulnerability is not known to be actively exploited in the wild, and it does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog. Insider threats and credential compromise represent the most practical attack vectors.

Remediation

SAP has released patches to address this SQL injection flaw. Organizations should obtain and apply the appropriate patch from SAP's security advisory as soon as possible. Patch availability and version numbers vary by S/4HANA release line; consult your SAP support portal or the official security advisory for your specific deployment version. In parallel, implement compensating controls: restrict remote function module access via authorization roles, enforce principle-of-least-privilege database access, and monitor for unusual SQL query patterns in audit logs.

Patch guidance

Contact SAP support or consult the official SAP security advisory for your S/4HANA On-Premise version to obtain the correct patch. Test patches in a non-production environment before rolling out to live systems. Apply patches promptly given the direct impact on data confidentiality. If patching is delayed, implement temporary mitigations through role-based access control (RBAC) adjustments and network segmentation to limit exposure.

Detection guidance

Monitor S/4HANA database logs and function module audit trails for suspicious SQL patterns, especially queries containing SQL metacharacters (single quotes, UNION clauses, comment sequences) originating from the affected remote-enabled module. Correlate user login activity with anomalous database access patterns; detect low-privileged users querying sensitive tables outside their normal scope. Search for unusual batch job submissions or scheduled tasks that may execute malicious SQL. Review user entitlements to the affected function module and disable access for users who do not require it.

Why prioritize this

Although the CVSS score is MEDIUM (6.5), confidentiality impact on a financial and operational system like S/4HANA warrants prompt attention. S/4HANA typically stores highly sensitive business data; unauthorized disclosure carries significant regulatory and reputational risk. The fact that exploitation requires authentication reduces immediate urgency but does not eliminate the threat, especially in environments with weak credential management or high insider risk. Organizations should patch within 30–60 days unless compensating controls are demonstrably effective.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) reflects high confidentiality impact (C:H) offset by the requirement for authenticated access (PR:L) and absence of integrity/availability effects (I:N, A:N). The network-accessible attack vector (AV:N) and low attack complexity (AC:L) indicate the flaw is easily exploitable once credentials are obtained. The MEDIUM severity classification appropriately balances the real harm (data exposure) against the authentication barrier, making this a relevant but not critical-tier vulnerability.

Frequently asked questions

Does this vulnerability affect SAP S/4HANA Cloud?

No. This vulnerability is specific to SAP S/4HANA On-Premise deployments. Cloud customers are not affected by this flaw.

Can this vulnerability be exploited without valid credentials?

No. The vulnerability requires an authenticated user account with access to the affected remote-enabled function module. Unauthenticated attackers cannot exploit it directly.

What data is at risk?

Any data stored in the S/4HANA database that the attacker's user account can reach via SQL injection becomes accessible. This typically includes customer records, financial data, product information, and operational records—depending on what data the organization stores and how extensively the attacker's account is authorized.

Is there a workaround if we cannot patch immediately?

While not a substitute for patching, you can reduce risk by tightening authorization roles to restrict access to the affected remote-enabled module, enforcing principle-of-least-privilege database access, and monitoring audit logs for suspicious SQL queries. These controls should be temporary measures only; patching is the required permanent fix.

This analysis is based on the official vulnerability disclosure as of the published date. Security researchers and organizations should verify all patch versions, affected product ranges, and remediation steps against the official SAP security advisory and their own deployment configurations. CVSS scores and threat assessments are subject to change as new information emerges. This content is provided for informational purposes and does not constitute professional security advice; consult with qualified cybersecurity professionals for your organization's specific risk posture and remediation strategy. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).