SAP
CVE-2026-27686
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected.
AnalysisAI
SAP Business Warehouse Service API lacks proper authorization controls on RFC function modules, allowing authenticated attackers to modify configurations and disrupt request processing. An attacker with valid credentials could exploit this vulnerability to cause denial of service and alter system integrity without detection. No patch is currently available for this medium-severity vulnerability.
Technical ContextAI
Classified as CWE-862 (Missing Authorization). Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected.
Affected ProductsAI
Component: an affected RFC.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-862 – Missing Authorization
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today