Skip to main content

SAP S/4HANA Condition Maintenance CVE-2026-40133

| EUVDEUVD-2026-29360 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 sap GHSA-gqmf-q62p-q4q6
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:21 nvd
MEDIUM 6.3

DescriptionCVE.org

Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.

AnalysisAI

Missing authorization checks in SAP S/4HANA Condition Maintenance allow authenticated attackers to view and modify condition table records they should not have access to, compromising data confidentiality and integrity while potentially denying legitimate users access to those same records. The vulnerability requires valid user credentials but affects all versions of the affected module, with CVSS 6.3 reflecting its multi-faceted impact across three security dimensions.

Technical ContextAI

SAP S/4HANA Condition Maintenance is a business application module responsible for managing condition tables used in SAP's pricing and rebate calculations. The vulnerability stems from a missing authorization check (CWE-862: Missing Authorization) in the application logic that processes condition table record access requests. Rather than a broken authentication mechanism, the flaw allows authenticated users to bypass role-based access controls (RBAC) or object-level security checks that should restrict their view and modification capabilities. This is a classic privilege escalation vulnerability where the application fails to validate that the requesting user has the required authorization attributes or roles before allowing CRUD operations on sensitive condition data.

RemediationAI

Obtain and apply the vendor-released patch from SAP via Security Note 3718083 (https://me.sap.com/notes/3718083) and track updates on the SAP Security Patch Day portal (https://url.sap/sapsecuritypatchday). The patch should restore proper authorization checks for condition table record access. As an interim control pending patch deployment, implement compensating access restrictions: (1) restrict 'Condition Maintenance' role assignments to only users who have legitimate business need and audit all current role holders; (2) enable SAP system change logging (transaction SE06 / ATC) to detect unauthorized modifications to condition tables; (3) configure table monitoring via Authorization Object DEBUG (to log reads) or condition table-specific audit logs if available in your S/4HANA version; (4) review and tighten condition-related authorization objects (typically TCMD or similar) in user roles to enforce field-level restrictions. Each control adds administrative overhead but reduces blast radius until patching. Coordinate with your SAP basis team and business process owners (Pricing/Sales) before implementing access restrictions, as over-constraining roles may break legitimate operations.

Share

CVE-2026-40133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy