Skip to main content

SAP CVE-2026-34264

| EUVDEUVD-2026-22174 MEDIUM
Observable Response Discrepancy (CWE-204)
2026-04-14 sap GHSA-4c58-m4cg-6h2f
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 01:22 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 01:15 euvd
EUVD-2026-22174
Analysis Generated
Apr 14, 2026 - 01:15 vuln.today
CVE Published
Apr 14, 2026 - 00:09 nvd
MEDIUM 6.5

DescriptionCVE.org

During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.

AnalysisAI

SAP Human Capital Management for SAP S/4HANA allows authenticated users with low privileges to enumerate and guess sensitive information through specific authorization check messages, resulting in information disclosure beyond their authorized scope. The vulnerability affects SAP HCM across affected versions and requires low-privilege authenticated access to exploit, with a CVSS score of 6.5 reflecting high confidentiality impact but no integrity or availability compromise.

Technical ContextAI

The vulnerability stems from improper information disclosure in authorization checks within SAP Human Capital Management (HCM), a core human resources module of SAP S/4HANA. The root cause is classified as CWE-204 (Observable Discrepancy), indicating that the system returns distinguishable messages or responses during authorization validation that leak information about protected resources. When an authenticated user with low privileges attempts to access or enumerate resources, the system's specific error messages or response patterns allow an attacker to infer the existence and nature of sensitive data they should not have permission to view. This is a classic example of authorization logic that fails to implement proper information hiding, allowing content enumeration through message analysis rather than direct access.

RemediationAI

Apply the security patch provided by SAP through their standard patching process referenced in SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and detailed in SAP Note 3680767 (https://me.sap.com/notes/3680767). The patch corrects authorization check message handling to prevent enumeration of protected resources. Organizations should prioritize patching systems with large numbers of low-privilege HCM users (e.g., employee self-service portals). Until patches are deployed, organizations may implement access controls restricting low-privilege user access to resource enumeration features, though this may impact business functionality.

Share

CVE-2026-34264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy