On April 8, 2026, SAP released its monthly patch day with 20 security notes. One number stands out above the rest: a CVSS score of 9.9. That number belongs to CVE-2026-27681, a SQL injection flaw in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse that an authenticated low-privileged user can exploit to run arbitrary SQL against the core financial database.
What Happened
The vulnerable ABAP program accepts a file upload that is supposed to contain formatted data, but it fails to sanitize the contents. An attacker with basic read access — not an admin, just a regular user with valid log-in credentials — can craft a file containing arbitrary SQL statements. Once uploaded, those statements execute against the database engine with the privileges of the application server. In SAP BPC, that is the engine holding consolidated financials, budgets, and plan versions for the entire enterprise.
Affected products include HANABPC 810, BPC4HANA 300, and SAP Business Warehouse versions 750 through 816. Every patch from 750 onward is in scope, which means the installed base is effectively every enterprise running modern SAP finance infrastructure.
Why This One Matters
Every month brings new CVEs. What makes CVE-2026-27681 worth writing about is the combination of three factors.
First, the attack requires only low privileges. This is not a remote-unauthenticated exploit, but in an enterprise with thousands of users, a low-privileged account is trivially obtainable via phishing, credential stuffing, or a compromised supply-chain vendor. The privilege boundary the vulnerability breaks is the one that actually matters: from normal user to database root.
Second, it targets the financial core. Unlike a public website defacement, this flaw could allow an attacker to alter consolidation figures, delete plan versions, or exfiltrate an organization's most sensitive forecasting data — potentially undetected, since direct SQL execution bypasses the usual SAP audit trails.
Third, ABAP security receives far less scrutiny than web security. There is no Burp Suite for ABAP; the talent pool for SAP red teams is a tiny fraction of general pentesting. That asymmetry is precisely why these vulnerabilities linger.
The Patching Problem
SAP has confirmed no in-the-wild exploitation yet, and a patch is available as Note 3719353. But in SAP shops, "patch available" and "patch deployed" are often months apart. Production SAP landscapes have change-control windows measured in quarters, regression testing for every module, and strong reluctance from business owners to accept any downtime during a financial close.
Attackers know this. Historically, SAP-specific exploit kits surface 30 to 90 days after a public advisory. The clock is already ticking.
My Take
I work with enough enterprise security teams to know the reflex here: file it under "SAP team problem, not my problem." That reflex is exactly what adversaries rely on. SAP systems sit downstream of identity infrastructure, file shares, email, and helpdesk — the full corpus of typical enterprise attack paths. A 9.9 rating on SAP BPC is not an SAP alert. It is a board-level business continuity alert wearing an SAP logo.
The lesson of 2026 so far is that software-supply risk, AI-code risk, and enterprise-application risk are converging. A single phishing email harvests credentials; those credentials grant access to an SAP dialog user; that user uploads an attack file; the attacker owns the financial ledger. No zero-day required.
If your organization runs SAP BPC and has not yet applied Note 3719353, stop reading articles like this one and go do that. Then come back and ask: what else have we been deferring because it was somebody else's problem?