SAP Security Notes, February 2026
Hot news note 3697099 patches a critical code injection vulnerability in SAP S/4HANA and SAP CRM. The vulnerability can be exploited by attackers to execute arbitrary SQL statements by calling function modules using the Scripting Editor. As a workaround, the Scripting Editor can be disabled by deactivating the service CRM_IC_ISE ICF in the sap/bc/bsp/sap service path.
Hot news note 3674774 addresses a critical missing authentication check impacting background RFCs in SAP NetWeaver AS ABAP. In addition to applying the recommended support package, profile parameter rfc/authCheckInPlayback should be set to the value 2 to enable stronger authorization checks for transactional (tRFC) and queued RFC (qRFC) calls.
Note 3697567 enhances verification procedures for the XML signatures to address an XML Signature Wrapping in NetWeaver AS ABAP. As a workaround, the vulnerable XML verification mechanisms can be avoided by disabling SAML and switching to alternative authentication methods.
Note 3705882 patches an information disclosure vulnerability in the ST-PI Addon installed in NetWeaver AS ABAP systems. The vulnerability can be exploited to obtain sensitive system information.
Notes 3674246, 3678282 and 3654236 address open redirect and denial of service vulnerabilities in SAP BusinessObjects.