Skip to main content

SAP CVE-2026-34261

| EUVDEUVD-2026-22170 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 sap
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 01:22 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 01:15 euvd
EUVD-2026-22170
Analysis Generated
Apr 14, 2026 - 01:15 vuln.today
CVE Published
Apr 14, 2026 - 00:08 nvd
MEDIUM 6.5

DescriptionCVE.org

Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.

AnalysisAI

Missing authorization checks in SAP Business Analytics and SAP Content Management allow authenticated users to invoke unauthorized remote function module calls, enabling confidential data access beyond their assigned permissions. The vulnerability affects all versions of the product and carries a CVSS score of 6.5 with confirmed high confidentiality impact. No public exploit code or active exploitation has been reported at time of analysis.

Technical ContextAI

This vulnerability stems from inadequate authorization validation (CWE-862: Missing Authorization) in SAP's remote function call (RFC) handling mechanisms. SAP Business Analytics and SAP Content Management utilize RFC interfaces to enable inter-system communication and modular function invocation. The missing authorization check fails to properly validate whether an authenticated user possesses sufficient privileges to execute specific remote function modules before processing the request. While authentication is performed (confirming user identity), the subsequent authorization layer (verifying user permissions against callable modules) is absent or improperly enforced. This allows an authenticated attacker to escalate their functional access without elevated credentials, potentially reading sensitive business data, analytics metadata, or content repository information that should be restricted by role-based access control.

RemediationAI

SAP has released security patches addressing the missing authorization check. Organizations must apply the vendor-released patch via SAP Security Patch Day updates; exact patched versions should be obtained from SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and SAP Note 3705094 (https://me.sap.com/notes/3705094). As interim mitigation pending patch deployment, restrict network access to remote function module endpoints via firewall or VPN controls, implement additional application-level authorization logging to detect unauthorized RFC calls, and audit user permissions for sensitive function modules to identify overprivileged accounts. Review RFC destination configurations and user role assignments to ensure least-privilege access control aligns with business requirements.

Share

CVE-2026-34261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy