ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34260 SQL Injection in SAP S/4HANA Enterprise Search for ABAP (CVSS 9.6)

A brief summary of CVE-2026-34260, a critical SQL injection vulnerability in SAP S/4HANA Enterprise Search for ABAP that allows authenticated attackers to extract sensitive data and crash the application across nine SAP BASIS versions.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-11

Brief Summary: CVE-2026-34260 SQL Injection in SAP S/4HANA Enterprise Search for ABAP (CVSS 9.6)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An authenticated SQL injection in SAP S/4HANA's Enterprise Search for ABAP component lets a low privilege user extract sensitive database contents and crash the application, earning a CVSS score of 9.6. With nine versions of SAP BASIS affected and SAP environments routinely housing financial, HR, and supply chain data, this vulnerability represents a significant exposure for organizations running unpatched S/4HANA deployments.

Technical Information

The root cause of CVE-2026-34260 is a classic CWE-89 flaw: improper neutralization of special elements used in an SQL command. The SAP Enterprise Search for ABAP component accepts user controlled input and directly concatenates it into SQL queries before passing them to the underlying database. No parameterization, escaping, or input validation is applied at the point of query construction.

The CVSS 3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H. A few details worth noting here:

  • Network accessible: The attack does not require local or adjacent network access.
  • Low privileges required: Any authenticated user with minimal authorization can attempt exploitation.
  • Changed scope: The vulnerability in the Enterprise Search component can affect resources beyond its own security boundary, which is what pushes the score to 9.6.
  • Confidentiality and availability are both rated high; integrity is unaffected, meaning the attacker can read data and disrupt service but cannot modify database contents through this vector.

Attack Flow

  1. An attacker authenticates to the SAP S/4HANA system with a low privilege account.
  2. The attacker navigates to the Enterprise Search interface, which provides search functionality backed by ABAP code that constructs SQL queries.
  3. The attacker supplies crafted input containing SQL injection payloads in one or more search fields.
  4. The application concatenates this input directly into a SQL statement without sanitization.
  5. The database executes the manipulated query with the privileges of the application's database connection.
  6. Depending on the injected payload, the attacker can enumerate database tables, extract sensitive records (high confidentiality impact), or trigger conditions that crash the application (high availability impact).

Because the scope is changed, the impact extends beyond the Enterprise Search component itself; the attacker effectively gains a channel to interact with the broader database layer.

Affected Systems and Versions

The vulnerability impacts the SAP Enterprise Search for ABAP component across the following SAP BASIS versions within SAP S/4HANA:

VendorProductAffected Component Version
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 751
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 752
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 753
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 754
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 755
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 756
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 757
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 758
SAP SESAP S/4HANA Enterprise Search for ABAPSAP BASIS 816

Organizations should inventory their SAP environments to determine whether any of these SAP BASIS versions are deployed.

Vendor Security History

SAP maintains a monthly security patch cadence and has a track record of addressing SQL injection and authorization flaws in its ABAP stack. During the April 2026 Patch Day, SAP resolved a separate CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation, another ABAP based component. The recurrence of critical SQL injection findings in ABAP components suggests that legacy code paths in the ABAP stack continue to present injection risks, and that organizations relying on SAP should treat each monthly Patch Day as a priority event.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization