Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.
AnalysisAI
SAP Fiori Launchpad is vulnerable to malicious URL crafting that triggers arbitrary service calls within the Fiori domain, enabling credential theft from users who interact with the crafted link. Exploitation requires no attacker privileges (PR:N per CVSS) but demands high attack complexity (AC:H) and user interaction (UI:R), meaning adversaries must possess advanced system knowledge and successfully deliver the URL to a victim. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, placing this in the medium-priority tier despite the credential-theft potential.
Technical ContextAI
SAP Fiori Launchpad is the browser-based entry point and tile-based navigation hub for SAP S/4HANA and related SAP product suites, acting as an orchestration layer for OData and REST-based backend services. The assigned CWE-35 (Path Traversal: '.../...//' variant) indicates that the URL manipulation leverages improper path segment handling to resolve unintended service endpoints on the Fiori domain - effectively allowing an attacker to craft a URL whose traversal sequences redirect the Launchpad into invoking backend services it should not expose to an external caller. This pattern can function similarly to SSRF or open-redirect chaining at the application layer: the Launchpad acts as a proxy, issuing service calls in the context of the authenticated user, which exposes session tokens or credentials to attacker-controlled endpoints. The Scope is Unchanged (S:U), meaning exploitation is contained within the Fiori application boundary rather than crossing into underlying OS or adjacent systems.
RemediationAI
The primary remediation is to apply the correction delivered via SAP Security Note 3682699. Customers should access this note through the SAP Support Portal (https://me.sap.com/notes/3682699) and follow the implementation instructions, which typically involve applying a transport or ABAP correction to the Fiori Launchpad configuration. An exact patched version number is not confirmed from available public data - verify the target version and prerequisites within the note itself before deployment. As a compensating control prior to patching, organizations can restrict external or unauthenticated URL delivery vectors to the Fiori Launchpad by enforcing strict Content Security Policy headers and reviewing URL allow-listing in the Fiori configuration (SAP Fiori Launchpad URL whitelist/intent-based navigation controls). Note that restricting navigation intents may break legitimate cross-application deep-link scenarios, so change management review is advised before applying. User awareness for phishing-style delivery is also relevant given the UI:R requirement.
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35277
GHSA-mqx2-hffm-62vp