Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.
AnalysisAI
SAP S/4HANA OData Service for Manage Technical Object Structures allows authenticated users to update and delete child entities without proper authorization checks, enabling unauthorized data modification. The vulnerability affects S/4HANA deployments exposing the vulnerable OData service and requires valid user credentials but no elevated privileges. CVSS base score is 4.3 (low-to-medium severity) with confirmed patch availability from SAP Security Patch Day.
Technical ContextAI
The vulnerability exists in SAP S/4HANA's OData service layer, specifically the Manage Technical Object Structures module. OData is a standardized protocol for building REST APIs that expose data via entity relationships. The underlying root cause is a missing authorization control (CWE-862: Missing Authorization) in the OData service logic that validates child entity modification requests. Attackers who possess valid SAP user credentials can leverage this gap to issue CRUD operations (Create, Read, Update, Delete) on child entities through the exposed OData endpoint without triggering authorization checks that should restrict such operations based on user role or resource ownership. The vulnerability is not in OData itself but in the application's failure to implement proper role-based access control (RBAC) at the service operation level.
RemediationAI
Apply the security patch issued by SAP via the official SAP Security Patch Day channel. Consult SAP Security Note 3711682 (https://me.sap.com/notes/3711682) for the exact patch number, version compatibility, and implementation steps tailored to your S/4HANA deployment topology (Cloud, on-premise, or hybrid). As an interim control, restrict network access to the Manage Technical Object Structures OData service endpoint to trusted internal subnets only, and review user account assignments and OData service role-based access policies to minimize exposure to low-privilege user accounts. Disable or deactivate the OData service if not required for business operations. After patching, verify authorization checks are enforced by performing user acceptance testing (UAT) with low-privilege test accounts attempting to modify child entities.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22148
GHSA-ghjj-x456-6m6f