EUVD-2026-35285
GHSA-5h92-3583-x7wf
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionNVD
Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.
AnalysisAI
Privilege escalation in SAP NetWeaver Application Server ABAP allows authenticated low-privilege users to invoke a report generation command that overwrites data belonging to other users, breaking tenant-level data integrity. The flaw stems from missing authorization checks (CWE-862) and carries a CVSS 7.1 rating with high integrity impact; no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold valid credentials for the SAP NetWeaver ABAP system with enough authorization to reach the vulnerable report-generation command (PR:L) - typically any dialog, communication, or service user that has S_TCODE/S_PROGRAM access to the affected report. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high integrity and low availability impact - consistent with an authenticated business user abusing an over-exposed report. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been issued any low-privilege SAP dialog or service account (for example, a compromised business-user credential or a contractor account) authenticates to the ABAP application server and invokes the vulnerable report-generation command with parameters referencing a record owned by another user. Because the report executes without performing the authorization check against the target object, the attacker's write succeeds and the victim's data is silently overwritten, enabling tampering with master data, workflow approvals, or audit-relevant records to escalate effective privileges. |
| Remediation | Patch available per vendor advisory: apply SAP Security Note 3735546 (https://me.sap.com/notes/3735546), released as part of the SAP Security Patch Day bundle indexed at https://url.sap/sapsecuritypatchday, which is the authoritative source for the exact corrected Support Package and kernel levels. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all SAP NetWeaver Application Server ABAP systems and document current user privilege assignments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today