Introduction
An authenticated SQL injection in SAP S/4HANA's Enterprise Search for ABAP component lets a low privilege user extract sensitive database contents and crash the application, earning a CVSS score of 9.6. With nine versions of SAP BASIS affected and SAP environments routinely housing financial, HR, and supply chain data, this vulnerability represents a significant exposure for organizations running unpatched S/4HANA deployments.
Technical Information
The root cause of CVE-2026-34260 is a classic CWE-89 flaw: improper neutralization of special elements used in an SQL command. The SAP Enterprise Search for ABAP component accepts user controlled input and directly concatenates it into SQL queries before passing them to the underlying database. No parameterization, escaping, or input validation is applied at the point of query construction.
The CVSS 3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H. A few details worth noting here:
- Network accessible: The attack does not require local or adjacent network access.
- Low privileges required: Any authenticated user with minimal authorization can attempt exploitation.
- Changed scope: The vulnerability in the Enterprise Search component can affect resources beyond its own security boundary, which is what pushes the score to 9.6.
- Confidentiality and availability are both rated high; integrity is unaffected, meaning the attacker can read data and disrupt service but cannot modify database contents through this vector.
Attack Flow
- An attacker authenticates to the SAP S/4HANA system with a low privilege account.
- The attacker navigates to the Enterprise Search interface, which provides search functionality backed by ABAP code that constructs SQL queries.
- The attacker supplies crafted input containing SQL injection payloads in one or more search fields.
- The application concatenates this input directly into a SQL statement without sanitization.
- The database executes the manipulated query with the privileges of the application's database connection.
- Depending on the injected payload, the attacker can enumerate database tables, extract sensitive records (high confidentiality impact), or trigger conditions that crash the application (high availability impact).
Because the scope is changed, the impact extends beyond the Enterprise Search component itself; the attacker effectively gains a channel to interact with the broader database layer.
Affected Systems and Versions
The vulnerability impacts the SAP Enterprise Search for ABAP component across the following SAP BASIS versions within SAP S/4HANA:
| Vendor | Product | Affected Component Version |
|---|---|---|
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 751 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 752 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 753 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 754 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 755 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 756 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 757 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 758 |
| SAP SE | SAP S/4HANA Enterprise Search for ABAP | SAP BASIS 816 |
Organizations should inventory their SAP environments to determine whether any of these SAP BASIS versions are deployed.
Vendor Security History
SAP maintains a monthly security patch cadence and has a track record of addressing SQL injection and authorization flaws in its ABAP stack. During the April 2026 Patch Day, SAP resolved a separate CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation, another ABAP based component. The recurrence of critical SQL injection findings in ABAP components suggests that legacy code paths in the ABAP stack continue to present injection risks, and that organizations relying on SAP should treat each monthly Patch Day as a priority event.
References
- NVD: CVE-2026-34260
- CVE Record: CVE-2026-34260
- SAP Note 3724838 (SAP for Me)
- SAP Security Patch Day
- SAP Patches Critical ABAP Vulnerability (SecurityWeek)
- SAP Patch Day April 2026: Critical SQL Injection and Authorization Flaws (Pathlock)
- SAP Q1 2026 Quarterly Statement
- CISA Adds Eight Known Exploited Vulnerabilities to Catalog (April 2026)
- CISA Adds Five Known Exploited Vulnerabilities to Catalog (March 2026)



