CVE-2026-44744 Overview
CVE-2026-44744 is a SQL injection vulnerability [CWE-89] in a remote-enabled function module (RFM) component of SAP S/4HANA (On-Premise). An authenticated attacker with low privileges can send crafted input over the network to execute unauthorized database queries against the underlying SAP database. The flaw exposes sensitive information to which the attacker should not have access. Confidentiality impact is high, while integrity and availability are not affected.
Critical Impact
An authenticated remote attacker can read sensitive business data from the SAP S/4HANA database by abusing an SQL injection flaw in a remote-enabled function module.
Affected Products
- SAP S/4HANA (On-Premise)
- Remote-enabled function module component (specific module identified in SAP Note #3751691)
- Versions enumerated in the vendor advisory
Discovery Timeline
- 2026-06-09 - CVE-2026-44744 published to NVD
- 2026-06-09 - Last updated in NVD database
- SAP Security Patch Day - SAP releases security patch via SAP Note #3751691
Technical Details for CVE-2026-44744
Vulnerability Analysis
The vulnerability resides in a remote-enabled function module (RFM) exposed by SAP S/4HANA (On-Premise). RFMs are callable over the SAP Remote Function Call (RFC) protocol by any authenticated user holding the appropriate authorization to invoke RFC endpoints. The affected module accepts user-supplied input and concatenates it into an Open SQL or Native SQL statement without sufficient sanitization or parameterization.
Because the attack vector is network-based and only low privileges are required, any account capable of initiating RFC calls to the SAP system can reach the vulnerable code path. Successful exploitation lets the attacker pivot the original query into arbitrary SELECT statements, returning data from tables outside the user's authorization scope. The vulnerability does not allow modification of data or denial of service, but business-sensitive tables such as financial postings, vendor master records, or HR data are within reach.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The RFM constructs a dynamic SQL query by string concatenation using a parameter received from the RFC caller, rather than using parameter binding or strict input validation.
Attack Vector
The attacker authenticates to the SAP system over RFC, SOAP, or another channel that exposes the vulnerable function module. They then invoke the RFM with input containing SQL metacharacters that break out of the intended query context. The injected predicate or UNION clause returns rows from tables the attacker is not authorized to read. No user interaction is required.
No verified public exploit code is available. Refer to SAP Note #3751691 for the technical details restricted to SAP customers.
Detection Methods for CVE-2026-44744
Indicators of Compromise
- Unusual RFC calls to the affected function module from accounts that do not normally use it, particularly from non-dialog or technical users.
- Abnormally large RFC response payloads consistent with bulk data exfiltration through injected SELECT clauses.
- Security Audit Log entries showing repeated failed or successful RFC invocations with malformed parameter values containing quotes, semicolons, or SQL keywords.
Detection Strategies
- Enable and monitor the SAP Security Audit Log (transaction SM19/RSAU_CONFIG) for RFC function module calls, focusing on the module identified in SAP Note #3751691.
- Inspect SAP Gateway logs and HANA SQL traces for queries containing concatenated user input or unexpected UNION SELECT patterns originating from application server processes.
- Correlate authentication events with subsequent RFC traffic to identify low-privileged users issuing reconnaissance calls against sensitive function modules.
Monitoring Recommendations
- Forward SAP Security Audit Log, Gateway log, and HANA audit trail data to a central analytics platform with OCSF normalization for cross-source correlation.
- Baseline normal RFC usage per user and alert on deviations in volume, target function module, or parameter length.
- Track read operations against confidential tables and flag access by users outside the data owner's authorization group.
How to Mitigate CVE-2026-44744
Immediate Actions Required
- Apply the patch referenced in SAP Note #3751691 on all SAP S/4HANA (On-Premise) systems.
- Review authorizations for object S_RFC and restrict access to the affected function group to only the users and technical accounts that require it.
- Audit recent RFC activity targeting the vulnerable module for signs of prior exploitation.
Patch Information
SAP released the corrective fix on SAP Security Patch Day. Customers must download and implement SAP Note #3751691 and verify deployment through the SAP Solution Manager or System Recommendations. Additional context is available on the SAP Security Patch Day portal.
Workarounds
- If immediate patching is not possible, restrict RFC access to the affected function module through S_RFC authorization object values, removing the function group from broad role assignments.
- Configure the SAP Gateway reginfo and secinfo access control lists to limit which hosts and users can register or invoke the affected RFM.
- Increase Security Audit Log verbosity for RFC calls to the vulnerable module to ensure any exploitation attempts are recorded until the patch is applied.
# Example: restrict S_RFC authorization for the affected function group in PFCG
# Field: RFC_TYPE Value: FUGR
# Field: RFC_NAME Value: <function group from SAP Note 3751691>
# Field: ACTVT Value: 16 (execute)
# Remove this authorization from roles assigned to general business users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
