TL;DR: SAP’s February 2026 Patch Day includes 26 security notes, with two Critical issues in CRM scripting and RFC authorization enforcement, plus high-risk defects in BusinessObjects and XML signature handling, according to Pathlock. The pattern is clear: trusted SAP execution paths are still where access control, identity trust, and availability break first.
NHIMG editorial — based on content published by Pathlock: SAP’s February 2026 Patch Day analysis
By the numbers:
- SAP’s February 2026 Patch Day includes 26 SAP Security Notes, with 2 Critical and 6 High severity issues.
Questions worth separating out
Q: What breaks when SAP authorisation checks fail in RFC paths?
A: When RFC checks fail, a low-privileged authenticated user can trigger remote-enabled operations that were meant to be blocked.
Q: When should SAP teams prioritise trust-boundary fixes over other patch work?
A: Prioritise trust-boundary fixes when a flaw can alter identity, invoke backend functions, or break shared availability across systems.
Q: What do security teams get wrong about signed XML in enterprise SSO?
A: They often assume that a valid signature means the whole message is safe.
Practitioner guidance
- Tighten SAP CRM scripting access immediately Disable the legacy Scripting Editor service if it is not operationally required, and reduce access to CRM scripting-related functionality to a minimal admin set.
- Revalidate RFC trust and S_RFC assignments After applying the kernel fix, inspect trusted RFC destinations, background RFC usage, and permissive S_RFC roles for cross-system reachability that exceeds business need.
- Test signed XML consumption, not just signature acceptance Review ABAP web services and SAML-connected flows to confirm the application consumes the same XML element that was signed.
What's in the full analysis
Pathlock's full analysis covers the operational detail this post intentionally leaves for the source:
- Patch-by-patch breakdown of every SAP Security Note in the February 2026 cycle
- Note-level mitigation guidance for CRM, RFC, BusinessObjects, and NetWeaver ABAP issues
- Environment-specific implementation details for Basis teams managing kernel updates and regression risk
- Defensive validation checks for SAML, WS-Security, and RFC enforcement changes after remediation
👉 Read Pathlock’s analysis of SAP February 2026 Patch Day trust-boundary failures →
SAP patch day trust failures: what IAM teams need to know?
Explore further
Trusted execution paths are the real identity perimeter in SAP. This Patch Day shows that the most dangerous failures are not always in authentication itself, but in the application and kernel paths that assume trusted execution once a session exists. RFC, CRM scripting, and signed XML all sit inside that perimeter. For identity teams, the lesson is that SAP authorisation is not just about who logged in, but which execution paths can still be reached after login. The practitioner conclusion is to treat SAP trust boundaries as first-class identity controls.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to our Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which is why trust-boundary failures often persist after the original issue is identified.
A question worth separating out:
Q: Who is accountable when a trusted SAP endpoint can be abused from the wrong network zone?
A: Accountability sits with the teams that own segmentation, application reachability, and SAP interface governance, not just the patch owner. If a trusted endpoint is reachable from user networks or external paths, the trust model has already failed. Security, Basis, and IAM owners need a shared view of which endpoints are privileged system interfaces.
👉 Read our full editorial: SAP February 2026 Patch Day exposes trust-boundary failures