The SAP security advisories for May 2026 address several high-impact vulnerabilities, including a targeted software supply-chain attack, a “Hot News” SQL injection in S/4HANA, a missing authentication check in Commerce Cloud, and a high-risk OS command injection. Organizations should treat these notes as urgent and prioritize remediation to mitigate significant risks.
Executive Summary
SAP’s security updates for May 2026 highlight critical risks across the enterprise landscape, from developer tooling to core business applications. The most urgent issue is SAP Security Note 3747787, which details the Mini Shai-Hulud supply-chain attack targeting SAP cloud developers through malicious npm packages. This campaign aimed to steal high-value developer, cloud, and CI/CD credentials. Additionally, SAP released patches for three other significant vulnerabilities. A “Hot News” SAP Security Note 3724838 addresses a critical SQL injection vulnerability (CVE-2026-34260) in SAP S/4HANA that could expose sensitive data. SAP Security Note 3733064 fixes a missing authentication check (CVE-2026-34263) in SAP Commerce Cloud, which could allow for remote code execution. Finally, SAP Security Note 3732471 patches a high-risk OS command injection (CVE-2026-34259) in SAP Forecasting & Replenishment, potentially leading to a full system compromise.
Key Takeaways
- A software supply-chain attack named “Mini Shai-Hulud” targeted SAP developers via malicious npm packages to steal credentials.
- A critical “Hot News” SQL injection vulnerability (CVE-2026-34260) was patched in SAP S/4HANA Enterprise Search.
- A missing authentication check in SAP Commerce Cloud (CVE-2026-34263) could allow an unauthenticated attacker to execute code.
- A high-risk OS command injection flaw (CVE-2026-34259) was fixed in SAP Forecasting & Replenishment.
- Organizations must act urgently to identify affected systems and apply all relevant patches to prevent data exposure and system compromise.
May 2026 SAP Security Vulnerabilities Overview
| SAP Security Note | CVE ID | Vulnerability Type | Affected Product(s) | Risk / Impact |
|---|---|---|---|---|
| 3747787 | N/A | Software Supply-Chain Attack | SAP CAP, MTA, BTP Development Tooling | Credential theft, source code exposure, CI/CD compromise |
| 3724838 | CVE-2026-34260 | SQL Injection | SAP S/4HANA (Enterprise Search) | High impact on confidentiality and availability |
| 3733064 | CVE-2026-34263 | Missing Authentication Check | SAP Commerce Cloud | Remote code execution, full C/I/A compromise |
| 3732471 | CVE-2026-34259 | OS Command Injection | SAP Forecasting & Replenishment | Full compromise of confidentiality, integrity, and availability |
What is the Mini Shai-Hulud Supply-Chain Attack? (Note 3747787)
SAP Security Note 3747787 is an urgent advisory addressing the Mini Shai-Hulud malware campaign. This attack targeted the software supply chain for SAP cloud development by injecting malicious code into popular npm packages, including mbt, @cap-js/sqlite, and others associated with SAP CAP and MTA tooling. The malware executed automatically during npm install, using a preinstall script to download the Bun runtime and launch a credential-stealing payload.
The primary goal was to steal developer, GitHub, npm, cloud, and CI/CD credentials from developer workstations and build environments. The malware also attempted to propagate by using stolen tokens to publish itself to other packages and created persistence mechanisms in IDEs like VS Code. Because of the risk of stolen credentials and persistent access, simply removing the package is insufficient. Recommended actions include identifying all systems where the packages were installed, rotating all potentially exposed credentials, and searching for indicators of compromise like suspicious GitHub repositories or modified IDE configurations.
What is the SQL Injection Vulnerability in S/4HANA? (Note 3724838)
SAP Security Note 3724838 patches a “Hot News” SQL injection vulnerability, tracked as CVE-2026-34260, in SAP S/4HANA’s Enterprise Search for ABAP. The vulnerability affects SAPBASIS releases 7.51 through 7.58 and 8.16. It arises because user-controlled input is not properly sanitized before being passed to the database.
An authenticated attacker could exploit this flaw to inject malicious SQL statements, allowing them to gain unauthorized access to sensitive database information. While the vulnerability does not impact data integrity, it has a high impact on confidentiality and could cause application instability or crashes, affecting availability. SAP’s correction validates user input to prevent the execution of malicious SQL.
What is the Missing Authentication Vulnerability in Commerce Cloud? (Note 3733064)
SAP Security Note 3733064 addresses a critical missing authentication check in SAP Commerce Cloud, identified as CVE-2026-34263. The issue stems from an improper Spring Security configuration with overly permissive access rules, which could allow an unauthenticated attacker to access a sensitive configuration upload function.
This vulnerability poses a severe risk, as an attacker could upload a malicious configuration to achieve arbitrary server-side code execution. Successful exploitation could lead to a complete compromise of the application’s confidentiality, integrity, and availability. SAP has addressed the flaw by disabling the configuration upload functionality by default. The fix is available in SAP Commerce Cloud releases 2205.49, 2211.51, and 2211-jdk21.10.
What is the OS Command Injection in Forecasting & Replenishment? (Note 3732471)
SAP Security Note 3732471 fixes a high-risk OS command injection vulnerability (CVE-2026-34259) in SAP Forecasting & Replenishment. The flaw could allow an authenticated attacker with administrative privileges to execute arbitrary operating system commands by abusing a function module with insufficient input validation.
Successful exploitation could lead to a complete compromise of the system’s confidentiality, integrity, and availability. An attacker could read, modify, or delete system data, execute unauthorized commands on the server, or shut down the system entirely. SAP has corrected the issue by implementing proper authorization checks and command screening.
Frequently Asked Questions (FAQ)
What was the most urgent SAP security issue in May 2026?
The most urgent issue was the Mini Shai-Hulud software supply-chain attack detailed in SAP Security Note 3747787. It targeted high-value developer and cloud credentials via malicious npm packages, posing a significant risk of widespread compromise.
Which SAP products had critical or high-risk vulnerabilities?
Critical or high-risk vulnerabilities were patched in SAP S/4HANA (SQL Injection, CVE-2026-34260), SAP Commerce Cloud (Missing Authentication/RCE, CVE-2026-34263), and SAP Forecasting & Replenishment (OS Command Injection, CVE-2026-34259).
What is Mini Shai-Hulud?
Mini Shai-Hulud is a malware campaign that targeted SAP developers by compromising trusted npm packages used for SAP cloud development. The malware was designed to automatically execute upon installation and steal a wide range of credentials, including those for GitHub, npm, and cloud services.
What action is recommended for these vulnerabilities?
Organizations should immediately review the specific SAP Security Notes to identify affected systems. It is critical to apply the recommended patches, correction instructions, or support packages as soon as possible to mitigate the risk of data breaches, system compromise, and operational disruption.