Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
AnalysisAI
SAP S/4HANA OData Service for Manage Reference Equipment lacks authorization checks, allowing authenticated users to modify and delete child entities without proper access controls. The vulnerability affects S/4HANA instances with the vulnerable OData service and requires low-privilege network access, resulting in high integrity impact but no confidentiality or availability risk. No public exploit code or active exploitation has been confirmed.
Technical ContextAI
This vulnerability exists in SAP S/4HANA's OData (Open Data Protocol) service layer, specifically the Manage Reference Equipment module. OData services expose data and business logic through standardized REST-like interfaces, and this implementation fails to enforce row-level or entity-level authorization checks (CWE-862: Missing Authorization). While the service requires authenticated access (PR:L), the authorization controls that should restrict which child entities a user can modify are absent. An attacker with valid S/4HANA credentials can bypass the intended authorization model by directly calling OData endpoints to manipulate entities they should not have permission to access.
RemediationAI
Consult SAP's official security advisories at SAP Note 3715097 and the SAP Security Patch Day page for the applicable patch version and deployment instructions specific to your S/4HANA release. Apply the vendor-released patch once available and validated in a test environment. In the interim, implement compensating controls by restricting OData service access through firewalls or reverse proxies, limit S/4HANA user accounts to the minimum necessary, and enable audit logging for OData service modifications to detect unauthorized activity.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22149
GHSA-58xj-93qq-mmvg