RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: sap (2 articles)Clear
vulnerability
CVE-2026-34263CVE-2026-34260CVE-2026-34259
2026-05-13

SAP patches two critical CVSS 9.6 flaws in Commerce Cloud and S/4HANA - the ERP and e-commerce platforms behind most large retailers and global enterprises (CVE-2026-34263, CVE-2026-34260)

SAP's May Patch Day included two CVSS 9.6 critical flaws. CVE-2026-34263 in Commerce Cloud is a missing authentication check from improperly ordered Spring Security rules - unauthenticated attackers can upload configurations and inject code. CVE-2026-34260 in S/4HANA is a SQL injection in the ABAP Enterprise Search component that lets low-privilege authenticated users steal sensitive database records. Both land less than two weeks after four SAP npm packages were hit in the Mini Shai-Hulud attack, putting SAP customers under compounding patch pressure.

sapcommerce-clouds-4hanaerpsql-injectionmissing-authcvss-9-6onapsis
Check
Inventory SAP Commerce Cloud and S/4HANA instances. Check note application status in Solution Manager or SAP Support Portal. Search application logs for unusual configuration upload attempts.
Affected
SAP Commerce Cloud (all on-prem before patch) - CVE-2026-34263, CVSS 9.6. S/4HANA with ABAP Enterprise Search enabled - CVE-2026-34260, CVSS 9.6. Internet-facing Commerce Cloud is at acute risk.
Fix
Apply SAP Security Notes 3733064 (Commerce Cloud) and 3724838 (S/4HANA). Restrict Commerce Cloud admin endpoints to trusted IPs. Audit Enterprise Search query logs for SQL injection signatures.
threat
2026-04-29

Hackers compromised four official SAP developer packages and used them to steal credentials from any developer who installed an update

Attackers compromised four official SAP npm packages on Wednesday and replaced them with versions that quietly steal developer credentials when installed. The packages - mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service - are SAP's open-source tools for cloud application development. Anyone who ran 'npm install' between 09:55 and 12:14 UTC on April 29 had their machine grab GitHub tokens, npm credentials, and AWS, Azure, and GCP secrets, then dump them into public GitHub repositories on the victim's own account. The same attackers (TeamPCP) hit Trivy, Checkmarx, and Bitwarden earlier this year. The malware skips Russian-language systems entirely.

sapnpmsupply-chainteampcpmini-shai-huludcredential-theftci-cdpreinstall-hookbun-runtimerussian-language-guardrail
Check
Audit your CI/CD pipelines and dev machines for the four compromised SAP packages installed between April 29 09:55 and 13:46 UTC, and rotate every credential on those machines.
Affected
Any developer or CI/CD environment that ran 'npm install' on mbt 1.2.48, @cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, or @cap-js/db-service 2.10.1. SAP enterprise shops running CAP are at acute risk because these are core SAP development packages.
Fix
Update to clean SAP versions: @cap-js/db-service 2.11.0, @cap-js/sqlite 2.4.0, @cap-js/postgres 2.3.0. Rotate every GitHub token, npm token, and cloud credential (AWS, Azure, GCP) on machines that touched those packages. Search GitHub for repositories with the description 'A Mini Shai-Hulud has Appeared' belonging to your developers and report them to GitHub.