Skip to main content

SAP NetWeaver CVE-2026-44748

| EUVD-2026-35283 CRITICAL
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-09 cna@sap.com GHSA-c2v4-jg9m-jgrr
SAP Authentication Bypass Jwt Attack
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 01:31 vuln.today
CVE Published
Jun 09, 2026 - 01:16 nvd
CRITICAL 9.9

DescriptionNVD

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.

Articles & Coverage 2

News 3 Critical SAP Vulnerabilities Disclosed - No Public Exploits Yet Jun 10, 2026 News Critical XML Signature Forgery in SAP NetWeaver AS ABAP - CVE-2026-44748 Jun 09, 2026

AnalysisAI

Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege ABAP credentials
Delivery
Capture legitimate signed XML message
Exploit
Craft tampered XML preserving signature reference
Execution
Submit forged document to verifier endpoint
Persist
Verifier accepts modified identity claims
Impact
Access sensitive data as elevated identity
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must hold valid credentials for a normal-privilege account on the target NetWeaver AS ABAP / ABAP Platform instance (CVSS PR:L) and must be able to reach the signed-XML-accepting endpoint over the network (AV:N) - typically HTTP(S) services exposed by the ICM, such as SAML/SSO endpoints, web services, or other XML-consuming interfaces. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 9.9 score is driven by network reachability (AV:N), low complexity (AC:L), scope change (S:C, crossing the authentication trust boundary), and full CIA impact - appropriate for an authentication-bypass-class flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered a normal-privilege SAP user (via phishing, credential stuffing, contractor access, or an insider) captures a legitimate signed XML message produced by the system - for example a SAML assertion or signed inter-system identity token - and then submits a modified version where the signed element still validates but the consumed identity fields name a privileged user. The verifier accepts the tampered identity, granting the attacker access to sensitive business data or administrative functions across a trust boundary (S:C). …
Remediation Apply the patch referenced by SAP Security Note 3746332 (https://me.sap.com/notes/3746332) according to your installed NetWeaver AS ABAP / ABAP Platform release and Support Package stack - exact fixed SP/kernel levels are listed inside the customer-authenticated note and were not provided in the public record. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all SAP NetWeaver ABAP/ABAP Platform installations; assess current low-privileged user access controls; notify security and SAP teams of critical vulnerability status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-36721 CRITICAL
9.8 Jun 09

A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to

CVE-2026-52754 HIGH
8.7 Jun 10

Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to imperso
CVE-2026-41694 LOW
3.7 Jun 10

Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS
CVE-2026-47192 LOW
Jun 04

Late signature validation in Siemens kas (pip/kas >= 4.8, < 5.3) allows an attacker who has already compromised a refere

Share

CVE-2026-44748 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy