Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Unauthenticated network request smuggling (AV:N/AC:L/PR:N/UI:N) exposing other users' responses (C:H) and disrupting service (A:H); no data modification, so I:N.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.
Articles & Coverage 1
AnalysisAI
Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication, user interaction, or special privileges are required (PR:N/UI:N), and the attack is network-reachable at low complexity (AV:N/AC:L) against an internet-exposed SAP Approuter instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) indicates a genuinely serious, network-reachable, low-complexity, unauthenticated issue with high confidentiality and availability impact and no integrity impact - consistent with response-queue poisoning (leaking responses) and connection-pool disruption (unavailability). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the internet sends a single crafted HTTP request to a public SAP Approuter endpoint containing ambiguous length/encoding headers so that the proxy and backend disagree on message boundaries. The smuggled portion poisons the shared connection, causing a subsequent legitimate user's response (potentially containing session or personal data) to be delivered to the attacker, and repeated abuse desynchronizes connections enough to make the application unavailable. … |
| Remediation | Apply the fix described in SAP Security Note 3720138 (https://me.sap.com/notes/3720138) and cross-reference the SAP Security Patch Day listing (https://url.sap/sapsecuritypatchday); as Approuter ships as the @sap/approuter npm dependency, upgrade each affected application to the patched Approuter version specified in the note and redeploy. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all SAP Approuter deployments for internet exposure and document current versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Sap Approuter
View allSame weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43584
GHSA-8m85-wqg7-c529