Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Critical SQL injection & missing authentication check in SAP! (CVE-2026-34260 & CVE-2026-34263) Patch Immediately!
Image
Publié : 13/05/2026
- Last update: 13/05/2026
- Affected software:
→ SAP S/4HANA (SAP Enterprise Search for ABAP): SAP_BASIS 751, 752, 753, 754, 755, 756, 757, 758, 812, 813, 815, and 816
→ SAP Commerce cloud: HY_COM 2205, COM_CLOUD 2211, 2211-JDK21- Type:
→ CWE-89: Improper Neutralization of Special Elements used in an SQL Command (CVE-2026-34260)
→ CWE-459: Incomplete Cleanup (CVE-2026-34263)- CVE/CVSS
→ CVE-2026-34260: CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
→ CVE-2026-34263: CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H)
Sources
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html
Risks
A critical severity SQL injection vulnerability and a critical severity authentication bypass were disclosed affecting SAP S/4HANA and SAP Commerce Cloud. Successful exploitation of the SQL injection flaw allows authenticated attackers to bypass security controls and execute arbitrary database queries, potentially leading to the unauthorized disclosure of sensitive business information or system instability. The authentication bypass vulnerability allows unauthenticated remote attackers to circumvent security filters, which could lead to unauthorized configuration changes and application compromise.
These vulnerabilities, identified during the May 2026 SAP Security Patch Day, pose a significant risk to the Confidentiality, Integrity, and Availability of enterprise data. Given that SAP environments often handle core business logic and sensitive financial records, they remain high-value targets for ransomware groups and other malicious actors.
Description
CVE-2026-34260, CVSS: 9.6
SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) caused by the improper neutralization of special elements in SQL commands (CWE-89). An authenticated attacker can inject malicious SQL statements through user-controlled input. These commands are executed by the underlying database, allowing for unauthorized access to sensitive records.
CVE-2026-34263, CVSS: 9.6
Missing authentication check vulnerability in SAP Commerce Cloud due to an improper Spring Security configuration. This flaw allows an unauthenticated attacker to bypass security filters, potentially enabling unauthorized configuration uploads. While not classified as direct RCE, the bypass provides a significant foothold for further exploitation within the application environment.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
These vulnerabilities were addressed as part of the SAP Security Patch Day - May 2026.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2026-34260
https://nvd.nist.gov/vuln/detail/CVE-2026-34263