Skip to main content

SAP Financial Consolidation CVE-2026-40136

| EUVDEUVD-2026-29365 MEDIUM
Improper Resource Shutdown or Release (CWE-404)
2026-05-12 sap GHSA-296w-48hc-3xvf
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:21 nvd
MEDIUM 4.3

DescriptionCVE.org

SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data

AnalysisAI

SAP Financial Consolidation permits authenticated attackers to forcibly terminate other users' sessions, temporarily denying them access to the application. The vulnerability has limited impact, affecting only availability through session disconnection while leaving the application itself and all data integrity and confidentiality intact. CVSS score of 4.3 reflects low severity, and no public exploit code or active exploitation has been identified.

Technical ContextAI

SAP Financial Consolidation is an enterprise resource planning (ERP) module responsible for consolidating financial data across multiple subsidiaries and business units. The vulnerability stems from improper handling of session termination mechanisms, classified under CWE-404 (Improper Resource Validation). The affected component lacks adequate controls to restrict which users can terminate sessions belonging to other authenticated users. This is a privilege-scope issue where an authenticated user can perform actions normally reserved for administrators or system managers, though the scope remains unchanged (S:U) indicating the impact does not extend beyond the vulnerable component itself.

RemediationAI

SAP has released security updates addressing this vulnerability; consult SAP Security Patch Day at https://url.sap/sapsecuritypatchday and SAP Note 3713521 at https://me.sap.com/notes/3713521 for the specific patched version and deployment instructions. Apply the vendor-provided patch to all SAP Financial Consolidation instances in your environment. As a temporary compensating control, implement identity and access management (IAM) policies that restrict session termination capabilities to designated administrators only, though this may require custom development depending on the product's permission framework. Monitor session management logs for unusual session termination patterns as an interim detection mechanism. Communicate the temporary nature of this issue to business stakeholders to manage expectations regarding brief service interruptions.

Share

CVE-2026-40136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy