Critical SAP SQL Injection (CVE-2026-27681, CVSS 9.9) Threatens BW/BPC Financial Systems

Summary

SAP has patched a near-maximum severity SQL injection vulnerability (CVE-2026-27681, CVSS 9.9) affecting its Business Planning and Consolidation (BPC) and Business Warehouse (BW) financial systems as part of the April 2026 Security Patch Day. The flaw stems from insufficient authorization checks in an ABAP upload path, allowing an authenticated attacker with low privileges to execute arbitrary SQL commands against backend databases.

Successful exploitation gives attackers complete control over confidentiality, integrity, and availability of the affected systems. In practice, this means extracting sensitive financial and planning data, altering consolidation reports, modifying or deleting figures, and causing significant business disruption across organizations that rely on SAP for financial planning.

SAP released Security Note 3719353 to address the issue. A temporary workaround involves revoking the S_GUI authorization object with Activity 60 (Upload) from user accounts, but immediate patching is strongly recommended.

Sources

• Onapsis — SAP Security Notes April 2026 Patch Day
• Pathlock — SAP Patch Day April 2026 analysis
• SecurityWeek — SAP patches critical ABAP vulnerability

Commentary

A CVSS 9.9 in SAP’s financial planning stack is about as bad as enterprise vulnerabilities get. BW/BPC sits at the heart of corporate financial operations — budgeting, forecasting, consolidation reporting. An attacker who can execute arbitrary SQL against these databases could manipulate financial statements, plant fraudulent data, or simply exfiltrate years of strategic financial planning.

The low-privilege requirement makes this especially dangerous. You don’t need an admin account — any authenticated user with basic upload permissions could exploit this. For organizations still running unpatched SAP systems, the temporary workaround of revoking upload permissions is a band-aid, but it’s better than nothing. Patch immediately, and audit your SAP authorization model while you’re at it.