Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.
AnalysisAI
SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.
Technical ContextAI
This vulnerability affects SAP's enterprise planning and analytics platforms built on NetWeaver ABAP and HANA databases. SAP Business Planning and Consolidation handles financial consolidation and planning workflows, while SAP Business Warehouse provides data warehousing and analytics capabilities. The CWE-89 SQL injection flaw stems from insufficient input validation in user-supplied parameters processed by backend database queries. The CVSS scope-change metric (S:C) suggests the vulnerable component runs with elevated database privileges, allowing attackers to escape the application sandbox and directly manipulate database objects potentially shared with other SAP modules. Affected versions include classic NetWeaver-based releases (SAP_BW 750-758) and newer HANA-optimized platforms (BPC4HANA 300, HANABPC 810/816), indicating the authorization bypass exists across multiple architectural generations of these products.
RemediationAI
Apply SAP Security Note 3719353 immediately to all affected SAP Business Planning and Consolidation and SAP Business Warehouse systems. Consult the monthly SAP Security Patch Day bulletin at https://url.sap/sapsecuritypatchday for specific patch installation instructions and support package requirements for each affected version. Until patching is complete, implement compensating controls: restrict BPC and BW user authorizations using SAP authorization objects to limit database-level access (review S_TABU_DIS, S_TABU_NAM, and BW-specific authorization objects); enable SAP Security Audit Log (transaction SM19/SM20) to monitor for suspicious SQL execution patterns or unauthorized data access attempts; deploy database activity monitoring to detect SQL injection attempts through anomalous query patterns or privilege escalation; conduct emergency access review for users with BPC_EXPERT or BW administrator roles who could exploit insufficient authorization checks. Note that authorization restrictions may impact legitimate planning and reporting workflows, requiring business unit coordination. Database-layer monitoring adds performance overhead during high-volume ETL operations but provides essential detection capability until patches are deployed.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22154
GHSA-qv8q-6q9m-8ch9