Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
AnalysisAI
Insufficient authorization checks in SAP Incentive and Commission Management allow authenticated users to invoke remote-enabled function modules and perform unauthorized table update operations, compromising data integrity. The vulnerability requires valid user credentials and network access but has limited scope - no confidentiality or availability impact. CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact; no active exploitation or public POC identified at analysis time.
Technical ContextAI
SAP Incentive and Commission Management uses remote-enabled function modules (RFMs) as callable interfaces in the ABAP environment. Remote-enabled functions can be invoked via RFC (Remote Function Call) protocol from authenticated sessions. The vulnerability stems from CWE-862 (Missing Authorization) - the application fails to validate that an authenticated user has explicit permission to call specific function modules or perform table updates through them. This is distinct from authentication (which is present) and represents a privilege escalation or lateral movement risk within authenticated SAP environments. The CPE indicates all versions of the product may be affected.
RemediationAI
Apply the security patch released by SAP on the designated security patch day (referenced in https://url.sap/sapsecuritypatchday and SAP Note 3718508); exact patched version numbers not specified in available data - verify patch details in the SAP advisory. Interim mitigation: restrict user access controls to limit who can invoke remote-enabled function modules in Incentive and Commission Management (audit profiles for RFC authorization object S_RFC); disable unnecessary RFC connectivity to ICM modules if not operationally required; implement segregation of duties to prevent low-privilege users from accessing sensitive table update functions. Trade-offs: restricting RFC access may impact integrated ERP workflows; verify downstream processes before applying. No patch version data was independently confirmed from the references provided - consult SAP directly for exact remediation steps.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29363
GHSA-vxmw-hcjw-h6q2