Skip to main content

SAP Incentive and Commission Management CVE-2026-40134

| EUVDEUVD-2026-29363 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 sap GHSA-vxmw-hcjw-h6q2
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:21 nvd
MEDIUM 4.3

DescriptionCVE.org

Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.

AnalysisAI

Insufficient authorization checks in SAP Incentive and Commission Management allow authenticated users to invoke remote-enabled function modules and perform unauthorized table update operations, compromising data integrity. The vulnerability requires valid user credentials and network access but has limited scope - no confidentiality or availability impact. CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact; no active exploitation or public POC identified at analysis time.

Technical ContextAI

SAP Incentive and Commission Management uses remote-enabled function modules (RFMs) as callable interfaces in the ABAP environment. Remote-enabled functions can be invoked via RFC (Remote Function Call) protocol from authenticated sessions. The vulnerability stems from CWE-862 (Missing Authorization) - the application fails to validate that an authenticated user has explicit permission to call specific function modules or perform table updates through them. This is distinct from authentication (which is present) and represents a privilege escalation or lateral movement risk within authenticated SAP environments. The CPE indicates all versions of the product may be affected.

RemediationAI

Apply the security patch released by SAP on the designated security patch day (referenced in https://url.sap/sapsecuritypatchday and SAP Note 3718508); exact patched version numbers not specified in available data - verify patch details in the SAP advisory. Interim mitigation: restrict user access controls to limit who can invoke remote-enabled function modules in Incentive and Commission Management (audit profiles for RFC authorization object S_RFC); disable unnecessary RFC connectivity to ICM modules if not operationally required; implement segregation of duties to prevent low-privilege users from accessing sensitive table update functions. Trade-offs: restricting RFC access may impact integrated ERP workflows; verify downstream processes before applying. No patch version data was independently confirmed from the references provided - consult SAP directly for exact remediation steps.

Share

CVE-2026-40134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy