Skip to main content

SAP S/4HANA Enterprise Search CVE-2026-34260

| EUVDEUVD-2026-29371 CRITICAL
SQL Injection (CWE-89)
2026-05-12 sap GHSA-mr52-49cx-qrr8
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:20 nvd
CRITICAL 9.6

DescriptionCVE.org

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

AnalysisAI

SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications.

Technical ContextAI

SAP Enterprise Search for ABAP is the integrated search engine framework within SAP S/4HANA that enables full-text search across business objects and documents. This CWE-89 SQL injection vulnerability exists in the search query processing layer where user-supplied search parameters are concatenated directly into SQL statements without parameterized queries or input sanitization. The ABAP application layer passes these malformed queries to the underlying database (typically SAP HANA, Oracle, or DB2), enabling direct database interaction. The scope change from Changed to Confidentiality/Availability (S:C/C:H/A:H) indicates the attacker can impact resources beyond the vulnerable search component itself, likely gaining access to broader S/4HANA database schemas containing financial, HR, and operational data.

RemediationAI

Apply SAP Security Note 3724838 immediately, available through the SAP Support Portal (https://me.sap/notes/3724838) and referenced in SAP Security Patch Day announcements (https://url.sap/sapsecuritypatchday). The note contains specific ABAP transports or support packages for each affected S/4HANA release line. For organizations unable to apply patches immediately, implement compensating controls: restrict access to Enterprise Search functionality via authorization object S_ESH_WB_ALL to only essential users (trade-off: reduces search capability for broader user base), enable enhanced SQL logging in the database layer to detect injection attempts (trade-off: performance overhead and log storage requirements), deploy SAP NetWeaver Gateway input validation rules to sanitize search query parameters before reaching the search engine (trade-off: may break legitimate queries with special characters), and segment network access to S/4HANA systems to prevent lateral movement if exploitation occurs (trade-off: may complicate legitimate integrations). These controls are not substitutes for patching but reduce attack surface during testing and deployment windows.

Share

CVE-2026-34260 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy