Skip to main content

SAP CVE-2026-27677

| EUVDEUVD-2026-22149 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 cna@sap.com GHSA-58xj-93qq-mmvg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22149
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

AnalysisAI

SAP S/4HANA OData Service for Manage Reference Equipment lacks authorization checks, allowing authenticated users to modify and delete child entities without proper access controls. The vulnerability affects S/4HANA instances with the vulnerable OData service and requires low-privilege network access, resulting in high integrity impact but no confidentiality or availability risk. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

This vulnerability exists in SAP S/4HANA's OData (Open Data Protocol) service layer, specifically the Manage Reference Equipment module. OData services expose data and business logic through standardized REST-like interfaces, and this implementation fails to enforce row-level or entity-level authorization checks (CWE-862: Missing Authorization). While the service requires authenticated access (PR:L), the authorization controls that should restrict which child entities a user can modify are absent. An attacker with valid S/4HANA credentials can bypass the intended authorization model by directly calling OData endpoints to manipulate entities they should not have permission to access.

RemediationAI

Consult SAP's official security advisories at SAP Note 3715097 and the SAP Security Patch Day page for the applicable patch version and deployment instructions specific to your S/4HANA release. Apply the vendor-released patch once available and validated in a test environment. In the interim, implement compensating controls by restricting OData service access through firewalls or reverse proxies, limit S/4HANA user accounts to the minimum necessary, and enable audit logging for OData service modifications to detect unauthorized activity.

Share

CVE-2026-27677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy