Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
AnalysisAI
SAP Human Capital Management for SAP S/4HANA allows authenticated users with low privileges to enumerate and guess sensitive information through specific authorization check messages, resulting in information disclosure beyond their authorized scope. The vulnerability affects SAP HCM across affected versions and requires low-privilege authenticated access to exploit, with a CVSS score of 6.5 reflecting high confidentiality impact but no integrity or availability compromise.
Technical ContextAI
The vulnerability stems from improper information disclosure in authorization checks within SAP Human Capital Management (HCM), a core human resources module of SAP S/4HANA. The root cause is classified as CWE-204 (Observable Discrepancy), indicating that the system returns distinguishable messages or responses during authorization validation that leak information about protected resources. When an authenticated user with low privileges attempts to access or enumerate resources, the system's specific error messages or response patterns allow an attacker to infer the existence and nature of sensitive data they should not have permission to view. This is a classic example of authorization logic that fails to implement proper information hiding, allowing content enumeration through message analysis rather than direct access.
RemediationAI
Apply the security patch provided by SAP through their standard patching process referenced in SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and detailed in SAP Note 3680767 (https://me.sap.com/notes/3680767). The patch corrects authorization check message handling to prevent enumeration of protected resources. Organizations should prioritize patching systems with large numbers of low-privilege HCM users (e.g., employee self-service portals). Until patches are deployed, organizations may implement access controls restricting low-privilege user access to resource enumeration features, though this may impact business functionality.
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22174
GHSA-4c58-m4cg-6h2f