Skip to main content

SAP Business Objects CVE-2026-44743

| EUVDEUVD-2026-35280 LOW
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-09 cna@sap.com GHSA-h8fg-cpvm-r33f
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 01:33 vuln.today

DescriptionCVE.org

Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.

AnalysisAI

SAP Business Objects exposes sensitive information through a specific network-accessible endpoint when high-complexity preconditions are met, exploitable by unauthenticated remote attackers. Classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the flaw carries a CVSS score of 3.7 (Low) with impact limited strictly to partial confidentiality loss - integrity and availability are unaffected. No public exploit has been identified at time of analysis, and no active exploitation has been confirmed.

Technical ContextAI

SAP Business Objects is SAP's enterprise business intelligence and analytics platform, widely deployed in large-scale enterprise environments. The root cause is CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere - meaning the application inadvertently returns internal system data (such as configuration details, internal paths, or application state) through a specific endpoint response under triggerable conditions. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) confirms the vulnerability is reachable over the network without authentication, but requires high attack complexity to trigger, implying specific environmental, temporal, or application-state prerequisites. No CPE strings were provided in the available intelligence; exact affected component versions must be resolved via SAP Security Note 3706000.

RemediationAI

Apply the fix detailed in SAP Security Note 3706000 (https://me.sap.com/notes/3706000), following SAP's Security Patch Day guidance at https://url.sap/sapsecuritypatchday. The exact patched version number is not specified in the available intelligence data and must be retrieved directly from the SAP Note for your specific deployment version. As a compensating control while patching, restrict network-level access to the identified vulnerable endpoint via firewall rules or reverse-proxy access controls - note this may impact legitimate users if the endpoint is used in normal business workflows, so validate the endpoint's operational purpose before blocking. Given the low CVSS score and high attack complexity, this item can be addressed within a standard SAP patch cycle batch unless co-remediation with higher-severity SAP patches released on the same patch day is feasible.

Share

CVE-2026-44743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy