Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
AnalysisAI
SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications.
Technical ContextAI
SAP Enterprise Search for ABAP is the integrated search engine framework within SAP S/4HANA that enables full-text search across business objects and documents. This CWE-89 SQL injection vulnerability exists in the search query processing layer where user-supplied search parameters are concatenated directly into SQL statements without parameterized queries or input sanitization. The ABAP application layer passes these malformed queries to the underlying database (typically SAP HANA, Oracle, or DB2), enabling direct database interaction. The scope change from Changed to Confidentiality/Availability (S:C/C:H/A:H) indicates the attacker can impact resources beyond the vulnerable search component itself, likely gaining access to broader S/4HANA database schemas containing financial, HR, and operational data.
RemediationAI
Apply SAP Security Note 3724838 immediately, available through the SAP Support Portal (https://me.sap/notes/3724838) and referenced in SAP Security Patch Day announcements (https://url.sap/sapsecuritypatchday). The note contains specific ABAP transports or support packages for each affected S/4HANA release line. For organizations unable to apply patches immediately, implement compensating controls: restrict access to Enterprise Search functionality via authorization object S_ESH_WB_ALL to only essential users (trade-off: reduces search capability for broader user base), enable enhanced SQL logging in the database layer to detect injection attempts (trade-off: performance overhead and log storage requirements), deploy SAP NetWeaver Gateway input validation rules to sanitize search query parameters before reaching the search engine (trade-off: may break legitimate queries with special characters), and segment network access to S/4HANA systems to prevent lateral movement if exploitation occurs (trade-off: may complicate legitimate integrations). These controls are not substitutes for patching but reduce attack surface during testing and deployment windows.
Same weakness CWE-89 – SQL Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29371
GHSA-mr52-49cx-qrr8