Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.
AnalysisAI
Missing authorization checks in SAP S/4HANA Condition Maintenance allow authenticated attackers to view and modify condition table records they should not have access to, compromising data confidentiality and integrity while potentially denying legitimate users access to those same records. The vulnerability requires valid user credentials but affects all versions of the affected module, with CVSS 6.3 reflecting its multi-faceted impact across three security dimensions.
Technical ContextAI
SAP S/4HANA Condition Maintenance is a business application module responsible for managing condition tables used in SAP's pricing and rebate calculations. The vulnerability stems from a missing authorization check (CWE-862: Missing Authorization) in the application logic that processes condition table record access requests. Rather than a broken authentication mechanism, the flaw allows authenticated users to bypass role-based access controls (RBAC) or object-level security checks that should restrict their view and modification capabilities. This is a classic privilege escalation vulnerability where the application fails to validate that the requesting user has the required authorization attributes or roles before allowing CRUD operations on sensitive condition data.
RemediationAI
Obtain and apply the vendor-released patch from SAP via Security Note 3718083 (https://me.sap.com/notes/3718083) and track updates on the SAP Security Patch Day portal (https://url.sap/sapsecuritypatchday). The patch should restore proper authorization checks for condition table record access. As an interim control pending patch deployment, implement compensating access restrictions: (1) restrict 'Condition Maintenance' role assignments to only users who have legitimate business need and audit all current role holders; (2) enable SAP system change logging (transaction SE06 / ATC) to detect unauthorized modifications to condition tables; (3) configure table monitoring via Authorization Object DEBUG (to log reads) or condition table-specific audit logs if available in your S/4HANA version; (4) review and tighten condition-related authorization objects (typically TCMD or similar) in user roles to enforce field-level restrictions. Each control adds administrative overhead but reduces blast radius until patching. Coordinate with your SAP basis team and business process owners (Pricing/Sales) before implementing access restrictions, as over-constraining roles may break legitimate operations.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29360
GHSA-gqmf-q62p-q4q6