Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.
AnalysisAI
SQL injection in SAP HANA Deployment Infrastructure (HDI) deploy library allows high-privileged users to manipulate dynamically constructed SQL queries, potentially altering SELECT statements and compromising confidentiality and availability. Attack requires local access and high privileges (PR:H), limiting real-world risk despite SQL injection severity. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The @sap/hdi-deploy package is a Node.js library used to deploy and manage SAP HANA artifacts. The vulnerability stems from CWE-89 (SQL Injection), where user-controlled input is concatenated directly into SQL query strings rather than using parameterized queries or prepared statements. This allows attackers with high privileges to inject arbitrary SQL syntax into SELECT statements. The affected CPE indicates all versions of the SAP HANA Deployment Infrastructure deploy library (cpe:2.3:a:sap_se:sap_hana_deployment_infrastructure_(hdi)_deploy_library:*:*:*:*:*:*:*:*) are potentially vulnerable.
RemediationAI
Apply the patch released by SAP for the @sap/hdi-deploy library as documented in SAP security note 3726962 (https://me.sap.com/notes/3726962) and the SAP Security Patch Day advisory (https://url.sap/sapsecuritypatchday). Update the @sap/hdi-deploy package to the patched version in your deployment pipeline. As a temporary compensating control, restrict deployment permissions to only trusted administrators and disable dynamic SQL construction in deployment scripts where possible; audit all deployment activities for suspicious SQL patterns. Verify that parameterized queries or prepared statements are used in any custom deployment extensions.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29359
GHSA-75qg-6cmg-3h9p