TL;DR: SAP’s January 2026 Patch Day includes 17 security notes, with four Critical and four High issues concentrated in RFC paths, database privilege boundaries, and admin tooling, according to Pathlock. The pattern is structural: stolen credentials and overbroad trust relationships can turn routine SAP access into lateral movement and full compromise.
NHIMG editorial — based on content published by Pathlock: SAP January 2026 patch day analysis
By the numbers:
- SAP released 17 Security Notes on the January 2026 Patch Day, with four Critical and four High issues.
Questions worth separating out
Q: How should teams reduce risk from RFC-exposed SAP vulnerabilities?
A: Teams should treat RFC permissions as high-risk identity scope, not just transport access.
Q: Why do technical SAP accounts create disproportionate blast radius?
A: Technical accounts often connect multiple systems, carry elevated permissions, and bypass user-facing controls.
Q: What breaks when HANA credentials are impersonated or escalated?
A: Database user separation breaks, along with the assumptions that low-privileged access cannot become administrative without an explicit approval step.
Practitioner guidance
- Audit RFC trust paths and S_RFC breadth Inventory RFC destinations, technical users, and function groups that can reach finance, analytics, or transformation modules.
- Prioritise patching for code-injection and privilege-escalation notes Treat the S/4HANA Finance injection, the two RFC-exposed code-injection notes, and the HANA impersonation issue as first-wave remediation because they collapse internal trust into direct compromise.
- Constrain admin tooling to dedicated segments Restrict monitoring and Basis tools to admin-only subnets, remove browser-based launch paths where possible, and monitor for unusual JNLP launch behaviour or workstation activity after link clicks.
What's in the full article
Pathlock's full research covers the operational detail this post intentionally leaves for the source:
- Note-by-note breakdown of all 17 SAP Security Notes and their support-package requirements
- Patch sequencing guidance for Critical and High issues across finance, analytics, HANA, and monitoring tooling
- Detailed mitigation steps for S_RFC hardening, admin-network restriction, and monitoring priorities
- Component-level exposure notes for S/4HANA, DMIS/SLT, Introscope, and HANA environments
👉 Read Pathlock's analysis of SAP January 2026 patch day risk →
SAP patch day trust-path flaws: what IAM and Basis teams need to know?
Explore further
Internal trust is the real attack surface in SAP landscapes. The article shows that the most dangerous flaws are not primarily internet-facing, but reachable through RFC, database authentication, and admin workflows that enterprises already trust. That pattern maps directly to NHI governance, where technical users and service credentials are often granted more reach than their actual business function requires. The practitioner lesson is that trust path design, not only patch cadence, determines whether SAP flaws remain contained.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows that identity failure tends to repeat rather than remain isolated.
A question worth separating out:
Q: Who is accountable when legacy SAP admin tooling is abused?
A: Accountability sits with the teams that own the tool, the admin subnet, and the user workflow, not with a single patch owner. Monitoring platforms and launch mechanisms must be governed as privileged access channels, because they often sit close to production systems and can be turned into pivot points during phishing or post-compromise activity.
👉 Read our full editorial: SAP January 2026 patch day exposes trust-path abuse in core systems