Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable unauthenticated endpoint (AV:N/PR:N), but reliable enumeration requires differential response analysis justifying AC:H; only account existence disclosed (C:L), no integrity or availability impact.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.
AnalysisAI
User account enumeration in SAP HANA Extended Application Services Classic Model (XSC) user self-service tools allows unauthenticated remote attackers to identify valid usernames and email addresses by crafting requests that elicit distinguishable server responses. The CWE-204 root cause - observable response discrepancy - means the application behaves differently for valid versus invalid accounts, leaking account existence without requiring credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the SAP HANA Extended Application Services Classic Model (XSC) user self-service feature is deployed and network-accessible to the attacker - this is a component-level deployment condition, not just a configuration flag, meaning organisations that have never deployed XSC or have decommissioned it are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.7 accurately reflects the limited real-world risk: the vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N indicates that while the endpoint is network-reachable without authentication, the high attack complexity (AC:H) suggests the distinguishable responses require non-trivial effort to detect reliably - such as precise timing measurement or differential analysis under variable network conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker with network access to the SAP HANA XSC user self-service portal submits a series of crafted account-lookup or password-reset requests cycling through candidate usernames or email addresses. By measuring and comparing response characteristics - such as timing differences, HTTP response codes, or subtle body content variations - the attacker distinguishes valid accounts from invalid ones. … |
| Remediation | The primary remediation is to apply the patch documented in SAP Security Note 3732522 (https://me.sap.com/notes/3732522), released as part of SAP Security Patch Day. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43588
GHSA-q32w-qvcr-5jr4