SAP Commerce Cloud RCE and S/4HANA SQLi (CVSS 9.6): Patch Before EOD Today

**CVE-2026-34263** is classified under CWE-459 (Incomplete Cleanup) and resides in the Spring Security configuration layer of SAP Commerce Cloud. Spring Security is the authentication and authorization framework that governs access to endpoints within the Commerce Cloud application. The flaw stems from an incomplete security policy that leaves specific configuration upload endpoints accessible to unauthenticated requests.

The attack follows three stages. First, an attacker scans the Commerce Cloud instance for endpoints that accept configuration data without validating session credentials or tokens. The misconfigured Spring Security policy allows these requests through without challenge. Second, the attacker submits a specially crafted malicious configuration file to the exposed endpoint. Third, the application server processes the uploaded configuration and executes the embedded code in the context of the Commerce Cloud runtime, giving the attacker arbitrary server-side command execution.

The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H decomposes as follows: the attack originates from the network (AV:N), requires no special conditions (AC:L), demands zero authentication (PR:N), includes a user interaction element in the configuration upload flow (UI:R), changes scope beyond the vulnerable component (S:C), and delivers full impact on confidentiality, integrity, and availability. The user interaction element does not require a victim to click anything; it reflects the triggering mechanics of the configuration upload action initiated entirely by the attacker.

Affected versions are SAP Commerce Cloud HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21. SAP issued remediation through SAP Note 3733064, available via the SAP Support Portal. Self-managed and hybrid deployments require manual application. SAP-managed cloud customers should verify patch status with SAP directly.

**CVE-2026-34260** is a SQL injection vulnerability (CWE-89) in SAP S/4HANA's Enterprise Search for ABAP component, carrying a CVSS score of 9.6. Dark Reading confirmed active exploitation on May 12, 2026 — the same day SAP published the patch — making this a zero-day situation where threat actors acted before organizations could deploy the fix. The simultaneous patch-and-exploit timeline requires treating this as an emergency deployment, not a standard patch cycle.

The vulnerable component is the Enterprise Search interface within the ABAP framework. SAP S/4HANA uses the ABAP Database Connectivity (ADBC) framework to execute native SQL queries. The Enterprise Search for ABAP component processes user-supplied search input and concatenates it directly into SQL statements without parameterized query handling or input sanitization. An authenticated attacker submits a crafted search term embedding SQL syntax to manipulate the underlying query and extract data from database tables beyond the intended result set.

The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H scores 9.6 with low privilege required (PR:L). Any valid SAP user account with permission to invoke the vulnerable Enterprise Search function module constitutes the only prerequisite. In large SAP S/4HANA deployments with hundreds of active users spanning employees, contractors, and system accounts, this threshold is realistic for external attackers who phished or purchased any SAP credential, not just those targeting administrator accounts. Confidentiality impact is high (database records are extractable) and availability impact is high (targeted injection can crash the application). Integrity impact is none, meaning this is a read-and-crash vulnerability rather than a write-access path.

Affected versions span SAP_BASIS 751, 752, 753, 754, 755, 756, 757, 758, and 816. Remediation is SAP Note 3724838 via the SAP Support Portal.

SAP's May 12, 2026 Patch Day released 15 security notes across the SAP product portfolio. CVE-2026-34263 and CVE-2026-34260 are the two Critical-rated vulnerabilities at CVSS 9.6 requiring same-day action.

**CVE-2026-34263 (SAP Commerce Cloud RCE):** Affected versions are HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21. Apply SAP Note 3733064 through the SAP Support Portal. Organizations running SAP Commerce Cloud in SAP-managed cloud environments should confirm with SAP whether automatic patching has been applied before marking this resolved. Self-managed and hybrid deployments require manual patch application. The SAP Note references instructions for each supported version track.

**CVE-2026-34260 (SAP S/4HANA SQL Injection):** Affected versions cover SAP_BASIS 751 through 758 and 816. This range encompasses most SAP S/4HANA deployments from 2018 forward, including the widely deployed SAP_BASIS 755 and 756 used in standard S/4HANA 2021 and 2022 releases. Apply SAP Note 3724838 through the SAP Support Portal. Organizations on SAP_BASIS versions outside the disclosed range should confirm scope with SAP support, as adjacent components may carry related risks.

Both vulnerabilities were disclosed for the first time on May 12, 2026, with no prior limited disclosure or pre-announcement. Patches and active exploitation arrived simultaneously, eliminating any standard staged-deployment window. Organizations that cannot apply patches before business day end should implement compensating controls: restrict network access to SAP Commerce Cloud configuration upload endpoints, implement additional authentication layers at the network perimeter for Commerce Cloud administration paths, and alert on anomalous Enterprise Search activity in S/4HANA security logs.

SAP exploitation has accelerated through 2025 and into 2026 following the joint CISA and Onapsis advisory warning that at least 300 unsecured SAP internet-facing systems had been directly compromised by identified threat actors. Three distinct actor profiles target SAP environments: nation-state groups seeking enterprise intelligence from ERP financial and operational data, financially motivated ransomware affiliates targeting high-value ERP databases, and automated scanning infrastructure that opportunistically probes SAP authentication portals and exploits chained vulnerabilities once a foothold is established.

For CVE-2026-34260, active exploitation confirmed by Dark Reading on patch day is consistent with targeted operations rather than mass scanning, given the requirement for valid SAP user credentials. Attackers operating with previously phished or purchased SAP credentials, or those who escalated from a prior SAP compromise, can now extract sensitive database records without additional privilege escalation. SAP S/4HANA stores financial records, HR data, supply chain logistics, customer contracts, and operational planning data that carry significant intelligence value and ransomware leverage.

For CVE-2026-34263, the unauthenticated attack vector makes Commerce Cloud instances accessible to opportunistic scanning. SAP Commerce Cloud deployments typically expose public-facing storefronts on routable IP addresses. Automated exploit frameworks that fingerprint SAP version headers and known endpoint patterns can identify vulnerable instances within hours of a working exploit becoming available.

The combination creates a compounded risk for organizations that integrate SAP Commerce Cloud with SAP S/4HANA as a standard e-commerce-to-ERP architecture, which is the deployment model used by most large retailers, manufacturers, and consumer goods companies in the SAP ecosystem. An attacker achieving initial RCE on the Commerce Cloud instance through CVE-2026-34263 gains a network-adjacent foothold from which the authenticated threshold for CVE-2026-34260 on an integrated S/4HANA backend becomes reachable through credential extraction or internal lateral movement.

SAP application-layer vulnerabilities do not produce traditional static IOCs like file hashes or known-malicious IP addresses at the initial exploitation stage. Detection relies on behavioral monitoring of SAP system logs and network traffic patterns.

For **CVE-2026-34263 (Commerce Cloud RCE)**, monitor for unauthenticated HTTP POST requests to Commerce Cloud endpoints handling configuration uploads, particularly from source IP addresses with no prior session history on the instance. Look for unexpected configuration files appearing in the Commerce Cloud administration interface that are not associated with any change management ticket or deployment record. Alert on new OS-level processes spawned by the Commerce Cloud application server that fall outside normal service operations. Monitor for outbound network connections from the Commerce Cloud application server to external IP addresses not in your approved integration allowlist, which may indicate post-exploitation C2 beacon activity following a successful RCE trigger.

For **CVE-2026-34260 (S/4HANA SQL Injection)**, monitor the SAP Security Audit Log for RFC function module calls to the Enterprise Search component from unexpected user IDs, accounts operating outside business hours, or accounts that have not previously accessed this component. Alert on Enterprise Search queries containing SQL syntax characters including single quotes, double dashes, UNION SELECT sequences, or comment delimiters. Monitor database query execution times for Enterprise Search operations significantly above baseline, which may indicate time-based blind injection probing. Review authentication logs for any low-privilege SAP accounts generating elevated volumes of search activity inconsistent with their normal usage pattern.

Both patches are available now through the SAP Support Portal. Execute these steps in priority order before close of business today.

SAP Commerce Cloud and SAP S/4HANA together form the revenue and operations backbone for thousands of global enterprises. A compromised Commerce Cloud instance exposes customer PII, payment transaction data, order histories, product pricing, and integration credentials connecting the storefront to backend S/4HANA ERP and financial systems. A compromised S/4HANA environment exposes financial statements, HR records, supply chain logistics, procurement data, and operational intelligence that represent years of business value and regulatory-sensitive information.

SAP Commerce Cloud unauthenticated RCE makes CVE-2026-34263 operable without any investment in reconnaissance or credential theft. Automated scanning tools that identify SAP version headers and known endpoint patterns can flag affected instances from internet exposure data within hours of a working exploit circulating. SAP Commerce Cloud's history of critical RCE exploitation — including Spring4Shell and multiple Hybris authentication bypasses across 2022 through 2025 — shows that the platform receives sustained attacker attention.

The parallel active exploitation of CVE-2026-34260 in S/4HANA on the same patch day confirms that threat actors are already targeting SAP environments on May 12. The compounded risk for organizations running integrated Commerce Cloud and S/4HANA deployments is particularly acute: initial access through the unauthenticated Commerce Cloud RCE provides a network foothold from which internal SAP user credentials may be extracted, meeting the low-privilege threshold required for the S/4HANA SQL injection with no external attack required.

For additional context on the pattern of critical unauthenticated RCE in enterprise products this year, the [CVE-2026-0300 PAN-OS firewall zero-day](/blog/cve-2026-0300-panos-firewall-rce-mitigation) demonstrated how quickly state-sponsored actors operationalize unauthenticated network device exploits. Apply SAP Notes 3733064 and 3724838 today.

SAP Commerce Cloud unauthenticated RCE CVE-2026-34263 gives any network attacker arbitrary server-side code execution with zero credentials required. SAP S/4HANA SQL injection CVE-2026-34260 is already under confirmed active exploitation against organizations running SAP_BASIS 751 through 758 and 816. Both carry CVSS 9.6 and both patches released today on SAP's May 12 Patch Day. Three key takeaways: CVE-2026-34263 creates an open unauthenticated attack surface on your Commerce Cloud storefront until patched, any valid SAP account is sufficient to exploit CVE-2026-34260, and integrated Commerce Cloud and S/4HANA deployments face a chained lateral movement path from storefront to ERP. Apply SAP Notes 3733064 and 3724838 via the SAP Support Portal before end of business today.