Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.
AnalysisAI
SAP S/4HANA (Private Cloud and On-Premise) allows authenticated local network users to delete arbitrary operating system files due to missing authorization checks, degrading system integrity and availability. The vulnerability requires prior authentication and high complexity attack conditions (AC:H), resulting in a CVSS score of 4.9. No evidence of active exploitation or public proof-of-concept code has been identified, but the authorization bypass is confirmed across both deployment models.
Technical ContextAI
The vulnerability stems from inadequate authorization validation (CWE-862: Missing Authorization) in SAP S/4HANA's file handling mechanisms. S/4HANA is SAP's enterprise resource planning suite that manages critical business data and operations; it provides APIs and administrative interfaces for file system operations. The missing authorization check allows authenticated users-who should only have restricted file operation capabilities-to invoke privileged file deletion operations without proper role-based access control validation. This occurs at the application layer before operating system-level file permission checks can enforce the security boundary, enabling the application to perform file deletions on behalf of an insufficiently-privileged user context.
RemediationAI
Apply the security patch released by SAP as part of the Security Patch Day cycle, using the specific patched version identified in SAP note 3703813 for your deployment model (Private Cloud or On-Premise). No temporary workaround has been documented in available security advisories; the authorization check cannot be reliably disabled or bypassed without patching the application code. Immediately after patching, verify that file operation APIs and administrative interfaces properly enforce role-based access control by testing with non-administrator accounts and confirming that file deletion operations are restricted. For organizations unable to patch immediately, implement network-level compensating controls by restricting network access to S/4HANA administrative and API endpoints from trusted internal networks only, and audit logs for unusual file deletion operations via the SAP security audit log (USL02 transaction).
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22144
GHSA-4587-27hr-9q42