Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-27681 |
| Alert Source | SAP Security Patch Day - April 2026 |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-14 |
| Vendor | SAP |
| Product | SAP Business Planning and Consolidation / SAP Business Warehouse |
| CVSS Score | 9.9 (Critical) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
An SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse allows attackers to manipulate database queries, potentially leading to unauthorized data access, data modification, denial of service, and full system compromise.
This is one of the most severe vulnerabilities published as part of SAP Security Patch Day in April 2026, with a CVSS score of 9.9 out of 10.
Affected Products and Versions
| Product | Versions |
|---|---|
| SAP Business Planning and Consolidation (HANA) | HANABPC 810 |
| SAP BPC for S/4HANA | BPC4HANA 300 |
| SAP Business Warehouse | SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816 |
Required Actions
- Immediately apply SAP Security Note 3719353
- Review system logs for unusual SQL queries
- Restrict network access to BPC/BW components until the patch is applied
- Verify user permissions in affected systems
Who Is Affected?
This vulnerability affects organizations using SAP Business Planning and Consolidation and SAP Business Warehouse in the listed versions. Due to the critical nature of this vulnerability (CVSS 9.9), immediate patching is strongly recommended.
Sources
Need help securing your SAP systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
How can nFlo help?
If your organization uses products affected by this vulnerability, contact us. We can help with:
- Verifying whether your systems are at risk
- Implementing patches and risk mitigation
- Monitoring for exploitation attempts in your environment
Useful resources:
