Security
SAP June 2026 Security Patch Day and Fortinet patches: critical SAML and command injection flaws
- Category: Security
- Status: confirmed
- Sources: SAP Security Patch Day June 2026, SecurityWeek
- Summary: SAP released four critical fixes on 2026-06-10. CVE-2026-44748 (CVSS 9.9, SAP Note 3746332) is an XML signature wrapping flaw in SAML authentication across SAP NetWeaver AS ABAP and ABAP Platform covering SAP_BASIS versions 702 through 919; an authenticated attacker can tamper with signed SAML assertions to bypass SSO access controls or impersonate other users. CVE-2026-27671 (CVSS 9.8) is a memory corruption flaw in Application Server ABAP. Fortinet also released patches on 2026-06-10 for CVE-2026-25089 (CVSS 9.1, FortiSandbox unauthenticated OS command injection via HTTP) and CVE-2026-44277 (CVSS 9.1, FortiAuthenticator unauthenticated improper access control). None of the four vulnerabilities were observed exploited at time of disclosure.
- Why it matters: CVE-2026-44748 affects SAML SSO across a broad range of SAP BASIS versions in use today; organizations relying on federated authentication should prioritize applying SAP Note 3746332.