Skip to main content

SAP CVE-2026-34256

| EUVDEUVD-2026-22166 HIGH
Missing Authorization (CWE-862)
2026-04-14 sap
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 01:22 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 01:15 euvd
EUVD-2026-22166
Analysis Generated
Apr 14, 2026 - 01:15 vuln.today
CVE Published
Apr 14, 2026 - 00:08 nvd
HIGH 7.1

DescriptionCVE.org

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

AnalysisAI

Authenticated remote attackers can overwrite eight-character executable ABAP reports in SAP ERP and SAP S/4HANA systems due to missing authorization checks, enabling denial-of-service conditions when legitimate users execute corrupted reports. This authorization bypass (CWE-862) requires low-privilege authenticated access (CVSS PR:L) and has low attack complexity, combining limited integrity impact with high availability impact (CVSS 7.1). EPSS data not provided; no public exploit identified at time of analysis. Affects SAP ERP and SAP S/4HANA Private Cloud and On-Premise deployments.

Technical ContextAI

This vulnerability affects SAP's ABAP (Advanced Business Application Programming) runtime environment within SAP ERP and SAP S/4HANA systems. The affected product per CPE identifier is SAP ERP and SAP S/4HANA (Private Cloud and On-Premise) deployments. The root cause is CWE-862 (Missing Authorization), where a specific ABAP report execution function fails to verify whether the authenticated user has proper authorization to modify executable reports. ABAP reports are executable programs within SAP systems that perform business logic, data processing, and system operations. The vulnerability specifically targets reports with eight-character names, a common naming convention in classic ABAP development. The missing authorization check allows privilege escalation where low-privileged users can perform administrative-level modifications to executable code objects without proper security clearance.

RemediationAI

Apply the security patch provided in SAP Security Note 3731908, accessible through the SAP Support Portal at https://me.sap/notes/3731908. The exact patched version numbers are not specified in available data; consult the security note directly for version-specific patch levels for your SAP ERP or S/4HANA deployment. As an interim workaround, implement compensating controls including enhanced monitoring of ABAP report modifications, restricting execution permissions for the vulnerable report to trusted users only, and implementing transaction-level authorization reviews to ensure low-privilege users cannot access report modification functions. Review SAP authorization objects related to ABAP development (such as S_DEVELOP) and restrict them to authorized developers only. Monitor the official SAP Security Patch Day communications at https://url.sap/sapsecuritypatchday for updates and additional remediation guidance.

Share

CVE-2026-34256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy