Skip to main content

SAP CVE-2026-24318

| EUVDEUVD-2026-22140 MEDIUM
Use of Persistent Cookies Containing Sensitive Information (CWE-539)
2026-04-14 cna@sap.com
4.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:24 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22140
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 4.2

DescriptionCVE.org

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.

AnalysisAI

Insecure session management in SAP Business Objects Business Intelligence Platform allows unauthenticated attackers to obtain and reuse valid session tokens, enabling unauthorized access to victim sessions with moderate complexity. An attacker exploiting this vulnerability could access or modify information within the compromised session's scope, affecting confidentiality and integrity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify BI Platform instance
Delivery
Obtain victim session token via interception or social engineering
Exploit
Submit request with reused token
Execution
Application accepts expired or unvalidated token
Persist
Attacker assumes victim's authenticated context
Impact
Access or modify sensitive data in victim's session scope

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents a moderate but real risk despite the moderate CVSS score of 4.2. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a valid session token for a legitimate BI Platform user through passive network sniffing on an unsecured Wi-Fi network or via social engineering (inducing the user to click a malicious link that captures the token). The attacker then submits requests to the BI Platform using the stolen token in the session cookie or header. …
Remediation Apply the security patch released by SAP for this vulnerability by consulting SAP Note 3702191 and the SAP Security Patch Day advisories. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy