Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.
AnalysisAI
Unintended data disclosure in SAP's Operational Data Provisioning RFC (ODP-RFC) modules stems from missing caller identification controls that fail to restrict invocation to permitted SAP-internal applications. Highly privileged customer or third-party applications can invoke these internal RFC modules outside their intended usage context, exposing sensitive operational data across a Changed scope boundary (S:C). No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the High confidentiality impact combined with scope change warrants attention in SAP environments where ODP is exposed to external RFC consumers.
Technical ContextAI
SAP RFC (Remote Function Call) is SAP's proprietary synchronous inter-process communication protocol used for intra- and inter-system calls within the SAP ecosystem. The ODP (Operational Data Provisioning) framework provides a unified data replication API - the ODP-RFC layer exposes RFC-callable function modules intended exclusively for SAP-internal consumers such as the SAP Data Services or embedded replication components. The root cause maps to CWE-862 (Missing Authorization): the RFC function modules do not implement caller identification checks to validate that the invoking application is a permitted SAP-internal entity, as opposed to a customer-developed ABAP program or a third-party RFC-capable connector. The CVSS scope indicator S:C (Changed) confirms that exploitation can cause impact on components or data outside the ODP-RFC module boundary itself - consistent with internal data replication pathways being accessed by unauthorized callers and exposing datasets from other SAP system components.
RemediationAI
The primary fix is documented in SAP Security Note 3748819, available at https://me.sap.com/notes/3748819 via the SAP Support Portal. An exact patched version or transport number is not independently confirmed from available data - consult the security note directly for the applicable ABAP correction transport. As compensating controls prior to patching: restrict RFC authorization objects (particularly S_RFC authorization checks on the relevant ODP function groups) so that only designated SAP-internal system users and trusted RFC destinations can invoke these modules; this reduces the attack surface without disabling ODP replication entirely, but may require testing against legitimate third-party integrations to avoid breaking authorized data flows. Audit all RFC user accounts and third-party RFC logical destinations to identify any non-SAP applications currently calling ODP-RFC function modules and remove or restrict those authorizations. Enable and review SAP system logs and RFC audit logs for unexpected invocations of ODP function modules as a detection measure.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35286
GHSA-rgfw-84wh-4r93