Skip to main content

SAP CVE-2026-27676

| EUVDEUVD-2026-22148 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 cna@sap.com GHSA-ghjj-x456-6m6f
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22148
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.

AnalysisAI

SAP S/4HANA OData Service for Manage Technical Object Structures allows authenticated users to update and delete child entities without proper authorization checks, enabling unauthorized data modification. The vulnerability affects S/4HANA deployments exposing the vulnerable OData service and requires valid user credentials but no elevated privileges. CVSS base score is 4.3 (low-to-medium severity) with confirmed patch availability from SAP Security Patch Day.

Technical ContextAI

The vulnerability exists in SAP S/4HANA's OData service layer, specifically the Manage Technical Object Structures module. OData is a standardized protocol for building REST APIs that expose data via entity relationships. The underlying root cause is a missing authorization control (CWE-862: Missing Authorization) in the OData service logic that validates child entity modification requests. Attackers who possess valid SAP user credentials can leverage this gap to issue CRUD operations (Create, Read, Update, Delete) on child entities through the exposed OData endpoint without triggering authorization checks that should restrict such operations based on user role or resource ownership. The vulnerability is not in OData itself but in the application's failure to implement proper role-based access control (RBAC) at the service operation level.

RemediationAI

Apply the security patch issued by SAP via the official SAP Security Patch Day channel. Consult SAP Security Note 3711682 (https://me.sap.com/notes/3711682) for the exact patch number, version compatibility, and implementation steps tailored to your S/4HANA deployment topology (Cloud, on-premise, or hybrid). As an interim control, restrict network access to the Manage Technical Object Structures OData service endpoint to trusted internal subnets only, and review user account assignments and OData service role-based access policies to minimize exposure to low-privilege user accounts. Disable or deactivate the OData service if not required for business operations. After patching, verify authorization checks are enforced by performing user acceptance testing (UAT) with low-privilege test accounts attempting to modify child entities.

Share

CVE-2026-27676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy