Skip to main content

SAP CVE-2026-27681

| EUVDEUVD-2026-22154 CRITICAL
SQL Injection (CWE-89)
2026-04-14 cna@sap.com GHSA-qv8q-6q9m-8ch9
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 17, 2026 - 15:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22154
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
CRITICAL 9.9

DescriptionCVE.org

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

AnalysisAI

SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.

Technical ContextAI

This vulnerability affects SAP's enterprise planning and analytics platforms built on NetWeaver ABAP and HANA databases. SAP Business Planning and Consolidation handles financial consolidation and planning workflows, while SAP Business Warehouse provides data warehousing and analytics capabilities. The CWE-89 SQL injection flaw stems from insufficient input validation in user-supplied parameters processed by backend database queries. The CVSS scope-change metric (S:C) suggests the vulnerable component runs with elevated database privileges, allowing attackers to escape the application sandbox and directly manipulate database objects potentially shared with other SAP modules. Affected versions include classic NetWeaver-based releases (SAP_BW 750-758) and newer HANA-optimized platforms (BPC4HANA 300, HANABPC 810/816), indicating the authorization bypass exists across multiple architectural generations of these products.

RemediationAI

Apply SAP Security Note 3719353 immediately to all affected SAP Business Planning and Consolidation and SAP Business Warehouse systems. Consult the monthly SAP Security Patch Day bulletin at https://url.sap/sapsecuritypatchday for specific patch installation instructions and support package requirements for each affected version. Until patching is complete, implement compensating controls: restrict BPC and BW user authorizations using SAP authorization objects to limit database-level access (review S_TABU_DIS, S_TABU_NAM, and BW-specific authorization objects); enable SAP Security Audit Log (transaction SM19/SM20) to monitor for suspicious SQL execution patterns or unauthorized data access attempts; deploy database activity monitoring to detect SQL injection attempts through anomalous query patterns or privilege escalation; conduct emergency access review for users with BPC_EXPERT or BW administrator roles who could exploit insufficient authorization checks. Note that authorization restrictions may impact legitimate planning and reporting workflows, requiring business unit coordination. Database-layer monitoring adds performance overhead during high-volume ETL operations but provides essential detection capability until patches are deployed.

Share

CVE-2026-27681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy