Skip to main content

SAP CVE-2026-27673

| EUVDEUVD-2026-22144 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 cna@sap.com GHSA-4587-27hr-9q42
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:24 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22144
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 4.9

DescriptionCVE.org

Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.

AnalysisAI

SAP S/4HANA (Private Cloud and On-Premise) allows authenticated local network users to delete arbitrary operating system files due to missing authorization checks, degrading system integrity and availability. The vulnerability requires prior authentication and high complexity attack conditions (AC:H), resulting in a CVSS score of 4.9. No evidence of active exploitation or public proof-of-concept code has been identified, but the authorization bypass is confirmed across both deployment models.

Technical ContextAI

The vulnerability stems from inadequate authorization validation (CWE-862: Missing Authorization) in SAP S/4HANA's file handling mechanisms. S/4HANA is SAP's enterprise resource planning suite that manages critical business data and operations; it provides APIs and administrative interfaces for file system operations. The missing authorization check allows authenticated users-who should only have restricted file operation capabilities-to invoke privileged file deletion operations without proper role-based access control validation. This occurs at the application layer before operating system-level file permission checks can enforce the security boundary, enabling the application to perform file deletions on behalf of an insufficiently-privileged user context.

RemediationAI

Apply the security patch released by SAP as part of the Security Patch Day cycle, using the specific patched version identified in SAP note 3703813 for your deployment model (Private Cloud or On-Premise). No temporary workaround has been documented in available security advisories; the authorization check cannot be reliably disabled or bypassed without patching the application code. Immediately after patching, verify that file operation APIs and administrative interfaces properly enforce role-based access control by testing with non-administrator accounts and confirming that file deletion operations are restricted. For organizations unable to patch immediately, implement network-level compensating controls by restricting network access to S/4HANA administrative and API endpoints from trusted internal networks only, and audit logs for unusual file deletion operations via the SAP security audit log (USL02 transaction).

Share

CVE-2026-27673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy