Skip to main content

SAP CVE-2026-27678

| EUVDEUVD-2026-22150 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 cna@sap.com GHSA-8pxq-pw5m-8q7x
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22150
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

AnalysisAI

SAP S/4HANA backend OData Service for Manage Reference Structures allows authenticated remote attackers to modify and delete child entities without proper authorization checks, compromising data integrity across reference data structures. The vulnerability requires valid user credentials but no elevated privileges, affecting organizations running vulnerable S/4HANA versions. CVSS 6.5 with confirmed patch availability via SAP Security Patch Day.

Technical ContextAI

The vulnerability exists in the OData service layer of SAP S/4HANA's Manage Reference Structures module, which exposes data manipulation operations (create, read, update, delete) via REST-based OData protocols. OData services are designed to provide standardized access to backend business data; however, this implementation fails to validate user authorization at the entity level before allowing modifications. CWE-862 (Missing Authorization) indicates the root cause is absent or insufficient access control checks in the authorization validation logic. The exposed endpoints process authenticated requests without verifying whether the caller has permission to modify specific child entities, allowing privilege escalation within the application's trust boundary. This affects the integrity control layer that should enforce business rules for hierarchical reference data structures.

RemediationAI

Apply the security patch released via SAP Security Patch Day (reference https://url.sap/sapsecuritypatchday) following the version guidance provided in SAP note 3715177. The patch re-implements authorization validation in the OData service layer to enforce entity-level access control before allowing updates or deletions of child entities. Organizations should test the patch in non-production environments first, then schedule maintenance windows for production deployment. As a temporary mitigation pending patch deployment, restrict OData Service access via network-level controls or application gateway rules to limit exposure to trusted users only; however, this does not remediate the underlying authorization flaw and should be treated as a stopgap measure.

Share

CVE-2026-27678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy