Critical Unpatched SQL Injection Vulnerability in SAP S/4HANA Exposes Sensitive Enterprise Data to Authenticated Attackers

A critical SQL injection flaw, tracked as CVE-2026-34260 with a CVSS score of 9.6, has been identified in SAP S/4HANA systems running SAP_BASIS versions 751 through 816. The vulnerability allows authenticated attackers to access sensitive data and potentially crash applications. No patch is currently available, leaving organizations exposed while remediation efforts continue.

The affected software is widely deployed across enterprise environments, handling mission-critical business processes including finance, supply chain, and human resources operations. The flaw stems from improper neutralization of SQL commands, creating a direct pathway for attackers who already possess valid credentials. This requirement of prior authentication lowers the barrier for exploitation compared to unauthenticated vulnerabilities, particularly in environments where insider threats or credential compromise are concerns.

Security researchers at OffSeq's threat intelligence platform have flagged the vulnerability, urging immediate mitigation measures. Until an official patch is released, administrators are advised to restrict network access to affected systems, closely monitor logs for anomalous activity, and review user permissions to limit exposure. The critical severity rating and availability of proof-of-concept detection tools signal elevated risk for organizations running unpatched SAP S/4HANA instances.