Skip to main content

SAP Approuter CVE-2026-27690

| EUVDEUVD-2026-43584 CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-07-14 sap GHSA-8m85-wqg7-c529
9.1
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated network request smuggling (AV:N/AC:L/PR:N/UI:N) exposing other users' responses (C:H) and disrupting service (A:H); no data modification, so I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (sap).

CVSS VectorVendor: sap

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 05:17 EUVD
Analysis Generated
Jul 14, 2026 - 01:15 vuln.today
CVE Published
Jul 14, 2026 - 00:17 cve.org
CRITICAL 9.1

DescriptionCVE.org

Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.

AnalysisAI

Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public Approuter endpoint
Delivery
Send crafted ambiguous HTTP request
Exploit
Desync front-end/backend parsing
Execution
Poison shared connection queue
Persist
Capture another user's response / drop service
Impact
Confidentiality breach and denial of service

Vulnerability AssessmentAI

Exploitation No authentication, user interaction, or special privileges are required (PR:N/UI:N), and the attack is network-reachable at low complexity (AV:N/AC:L) against an internet-exposed SAP Approuter instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) indicates a genuinely serious, network-reachable, low-complexity, unauthenticated issue with high confidentiality and availability impact and no integrity impact - consistent with response-queue poisoning (leaking responses) and connection-pool disruption (unavailability). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet sends a single crafted HTTP request to a public SAP Approuter endpoint containing ambiguous length/encoding headers so that the proxy and backend disagree on message boundaries. The smuggled portion poisons the shared connection, causing a subsequent legitimate user's response (potentially containing session or personal data) to be delivered to the attacker, and repeated abuse desynchronizes connections enough to make the application unavailable. …
Remediation Apply the fix described in SAP Security Note 3720138 (https://me.sap.com/notes/3720138) and cross-reference the SAP Security Patch Day listing (https://url.sap/sapsecuritypatchday); as Approuter ships as the @sap/approuter npm dependency, upgrade each affected application to the patched Approuter version specified in the note and redeploy. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all SAP Approuter deployments for internet exposure and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy