Skip to main content

SAP Fiori Launchpad CVE-2026-24315

| EUVDEUVD-2026-35277 MEDIUM
Path Traversal: '.../...//' (CWE-35)
2026-06-09 cna@sap.com GHSA-mqx2-hffm-62vp
4.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 01:31 vuln.today

DescriptionCVE.org

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.

AnalysisAI

SAP Fiori Launchpad is vulnerable to malicious URL crafting that triggers arbitrary service calls within the Fiori domain, enabling credential theft from users who interact with the crafted link. Exploitation requires no attacker privileges (PR:N per CVSS) but demands high attack complexity (AC:H) and user interaction (UI:R), meaning adversaries must possess advanced system knowledge and successfully deliver the URL to a victim. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, placing this in the medium-priority tier despite the credential-theft potential.

Technical ContextAI

SAP Fiori Launchpad is the browser-based entry point and tile-based navigation hub for SAP S/4HANA and related SAP product suites, acting as an orchestration layer for OData and REST-based backend services. The assigned CWE-35 (Path Traversal: '.../...//' variant) indicates that the URL manipulation leverages improper path segment handling to resolve unintended service endpoints on the Fiori domain - effectively allowing an attacker to craft a URL whose traversal sequences redirect the Launchpad into invoking backend services it should not expose to an external caller. This pattern can function similarly to SSRF or open-redirect chaining at the application layer: the Launchpad acts as a proxy, issuing service calls in the context of the authenticated user, which exposes session tokens or credentials to attacker-controlled endpoints. The Scope is Unchanged (S:U), meaning exploitation is contained within the Fiori application boundary rather than crossing into underlying OS or adjacent systems.

RemediationAI

The primary remediation is to apply the correction delivered via SAP Security Note 3682699. Customers should access this note through the SAP Support Portal (https://me.sap.com/notes/3682699) and follow the implementation instructions, which typically involve applying a transport or ABAP correction to the Fiori Launchpad configuration. An exact patched version number is not confirmed from available public data - verify the target version and prerequisites within the note itself before deployment. As a compensating control prior to patching, organizations can restrict external or unauthenticated URL delivery vectors to the Fiori Launchpad by enforcing strict Content Security Policy headers and reviewing URL allow-listing in the Fiori configuration (SAP Fiori Launchpad URL whitelist/intent-based navigation controls). Note that restricting navigation intents may break legitimate cross-application deep-link scenarios, so change management review is advised before applying. User awareness for phishing-style delivery is also relevant given the UI:R requirement.

Share

CVE-2026-24315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy