Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data
AnalysisAI
SAP Financial Consolidation permits authenticated attackers to forcibly terminate other users' sessions, temporarily denying them access to the application. The vulnerability has limited impact, affecting only availability through session disconnection while leaving the application itself and all data integrity and confidentiality intact. CVSS score of 4.3 reflects low severity, and no public exploit code or active exploitation has been identified.
Technical ContextAI
SAP Financial Consolidation is an enterprise resource planning (ERP) module responsible for consolidating financial data across multiple subsidiaries and business units. The vulnerability stems from improper handling of session termination mechanisms, classified under CWE-404 (Improper Resource Validation). The affected component lacks adequate controls to restrict which users can terminate sessions belonging to other authenticated users. This is a privilege-scope issue where an authenticated user can perform actions normally reserved for administrators or system managers, though the scope remains unchanged (S:U) indicating the impact does not extend beyond the vulnerable component itself.
RemediationAI
SAP has released security updates addressing this vulnerability; consult SAP Security Patch Day at https://url.sap/sapsecuritypatchday and SAP Note 3713521 at https://me.sap.com/notes/3713521 for the specific patched version and deployment instructions. Apply the vendor-provided patch to all SAP Financial Consolidation instances in your environment. As a temporary compensating control, implement identity and access management (IAM) policies that restrict session termination capabilities to designated administrators only, though this may require custom development depending on the product's permission framework. Monitor session management logs for unusual session termination patterns as an interim detection mechanism. Communicate the temporary nature of this issue to business stakeholders to manage expectations regarding brief service interruptions.
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29365
GHSA-296w-48hc-3xvf