What Happened
SAP released its April 2026 Security Patch Day on April 14, addressing 19 vulnerabilities across its product portfolio. The most critical is CVE-2026-27681 (CVSS 9.9), a SQL injection vulnerability in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW). The flaw exists in an ABAP program with insufficient authorization checks. A low-privileged authenticated user can upload a file containing arbitrary SQL statements, which the system then executes directly against the backend database.
Successful exploitation allows an attacker to read, modify, and delete database contents — including sensitive financial planning data, workforce information, and operational records stored within the affected SAP systems. SAP Security Note #3719353 patches the vulnerability by deactivating all executable code within the affected program. As a temporary workaround, SAP recommends revoking the S_GUI authorization object with Activity 60 (Upload) from non-administrative user accounts, though the company warns this action carries side effects in other applications. The Centre for Cybersecurity Belgium issued a high-priority advisory urging immediate patch application.
Why This Matters for Canadian Organizations
SAP is embedded in the financial planning, procurement, and workforce management operations of large Canadian enterprises, federal departments, and Crown corporations. SAP BPC and BW are specifically used for financial consolidation and business intelligence — the type of data at the core of regulatory reporting obligations under federal and provincial financial oversight regimes. An attacker with even a standard user account in an affected SAP system reads as capable of quietly altering financial records or exfiltrating sensitive business data without triggering obvious alarms.
For Canadian organizations subject to PIPEDA, an unauthorized attacker gaining access to personally identifiable information stored in SAP HR or finance modules creates breach notification obligations. For publicly traded companies, unauthorized access to financial planning data raises securities and disclosure concerns. The CVSS score of 9.9 — the highest possible without reaching 10.0 — reflects the breadth of impact and the low bar for exploitation. This is not a theoretical risk; authenticated SAP users exist across every division in large organizations, and the attack path requires no elevated technical skill.
What to Do
Apply SAP Security Note #3719353 immediately on all affected SAP BPC and BW systems. If patching is not possible in the near term, revoke the S_GUI authorization object with Activity 60 from all non-essential user accounts as a bridge measure — but treat this as temporary only, given the documented side effects. Audit current SAP user permissions to identify accounts with S_GUI Activity 60 access that are not operationally required. Engage your SAP Basis team and security operations to prioritize this note in your April maintenance window, and document the remediation action for any compliance audit trail. Contact your SAP support partner if you need assistance applying the note in a production environment.
Source: The Hacker News | Centre for Cybersecurity Belgium
