Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.
AnalysisAI
Material Master application fails to enforce authorization checks for authenticated users executing reports, allowing disclosure of sensitive information to any authenticated user regardless of intended access permissions. Affects SAP Material Master with CVSS 4.3 (low severity) and confirmed authentication requirement; no active exploitation reported. Remote attackers with valid credentials can access restricted report data without additional attack complexity.
Technical ContextAI
The vulnerability stems from inadequate authorization enforcement (CWE-862: Missing Authorization) in the Material Master reporting module. The application implements authentication (verified via CVSS PR:L requirement) but omits role-based or attribute-based authorization checks when users execute report functionality. This is a classic privilege escalation scenario where authenticated sessions bypass intended access controls on report execution endpoints, allowing lateral movement to data beyond the user's assigned permissions. The Material Master component is part of the SAP ERP ecosystem, typically handling inventory, procurement, and supply chain data classified as sensitive business information.
RemediationAI
Apply the security patch released by SAP as documented in note 3703276 and the SAP Security Patch Day advisory at https://url.sap/sapsecuritypatchday. The patch adds proper authorization enforcement checks to the Material Master reporting module, ensuring authenticated users can only execute reports matching their assigned roles and permissions. As an interim mitigation, restrict report execution access to Material Master via role assignments and regularly audit access logs to detect unauthorized report execution attempts. Verify patching via SAP Solution Manager or the Configuration Validation Tool post-deployment.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22142
GHSA-hvjp-3x5g-4g4f