Skip to main content

SAP CVE-2026-27679

| EUVDEUVD-2026-22152 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 cna@sap.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22152
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

AnalysisAI

SAP S/4HANA frontend OData Service (Manage Reference Structures) allows authenticated users to update and delete child entities without proper authorization checks, enabling privilege escalation and data integrity violations. The vulnerability requires valid user credentials but no special privileges, affecting systems running vulnerable S/4HANA versions. Attackers can exploit exposed OData endpoints to modify or remove reference structure data that should be protected from their access level.

Technical ContextAI

The vulnerability exists in SAP S/4HANA's OData service layer, specifically in the Manage Reference Structures application. OData is a standardized REST-based protocol for querying and modifying data, widely used in enterprise systems for application integration. The root cause is classified as CWE-862 (Missing Authorization), indicating that authorization checks are not performed before allowing update (PUT/PATCH) and delete (DELETE) operations on child entity resources. An authenticated user with basic access can craft OData requests to modify or delete entities they should not have permission to alter. The exposure occurs because the service fails to validate whether the requestor has the required authorization level for specific entities within the reference structure hierarchy, relying instead on authentication alone.

RemediationAI

Apply the security patch released by SAP for the Manage Reference Structures OData Service component through the official SAP Security Patch Day channel (https://url.sap/sapsecuritypatchday) and refer to SAP Note 3716767 for detailed patching guidance and specific fixed versions. Ensure all S/4HANA systems with OData services enabled are updated with the latest cumulative patch. As an interim mitigation prior to patching, organizations should restrict OData endpoint access through network controls and review IAM policies to limit which user roles can access reference structure modification endpoints, implementing least-privilege access principles. Monitor OData service logs for unusual update or delete operations on reference structure entities that deviate from normal business patterns.

Share

CVE-2026-27679 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy