SQL Injection Vulnerability in SAP S/4HANA Affecting Enterprise Search for ABAP
CVE-2026-34260

9.6CRITICAL

Key Information:

Vendor: SAP
Status: SAP S/4hana (SAP Enterprise Search For Abap)
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-34260?

SAP S/4HANA, specifically its Enterprise Search for ABAP component, is vulnerable to a SQL injection flaw. This security issue allows an authenticated attacker to manipulate SQL queries by injecting malicious statements through user input. Due to improper validation and sanitization, exploited vulnerabilities can lead to unauthorized access to sensitive database information, potentially compromising data confidentiality and application availability. Organizations using affected versions should apply the necessary patches and implement security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 751

SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 752

SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 753

References

https://me.sap.com/notes/3724838

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34260 Data

JSON