Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
AnalysisAI
SAP S/4HANA frontend OData Service (Manage Reference Structures) allows authenticated users to update and delete child entities without proper authorization checks, enabling privilege escalation and data integrity violations. The vulnerability requires valid user credentials but no special privileges, affecting systems running vulnerable S/4HANA versions. Attackers can exploit exposed OData endpoints to modify or remove reference structure data that should be protected from their access level.
Technical ContextAI
The vulnerability exists in SAP S/4HANA's OData service layer, specifically in the Manage Reference Structures application. OData is a standardized REST-based protocol for querying and modifying data, widely used in enterprise systems for application integration. The root cause is classified as CWE-862 (Missing Authorization), indicating that authorization checks are not performed before allowing update (PUT/PATCH) and delete (DELETE) operations on child entity resources. An authenticated user with basic access can craft OData requests to modify or delete entities they should not have permission to alter. The exposure occurs because the service fails to validate whether the requestor has the required authorization level for specific entities within the reference structure hierarchy, relying instead on authentication alone.
RemediationAI
Apply the security patch released by SAP for the Manage Reference Structures OData Service component through the official SAP Security Patch Day channel (https://url.sap/sapsecuritypatchday) and refer to SAP Note 3716767 for detailed patching guidance and specific fixed versions. Ensure all S/4HANA systems with OData services enabled are updated with the latest cumulative patch. As an interim mitigation prior to patching, organizations should restrict OData endpoint access through network controls and review IAM policies to limit which user roles can access reference structure modification endpoints, implementing least-privilege access principles. Monitor OData service logs for unusual update or delete operations on reference structure entities that deviate from normal business patterns.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22152