Skip to main content

SAP BusinessObjects BI CVE-2026-44755

| EUVDEUVD-2026-35287 MEDIUM
Origin Validation Error (CWE-346)
2026-06-09 cna@sap.com GHSA-7555-458q-jpfv
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 01:36 vuln.today

DescriptionCVE.org

SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application.

AnalysisAI

Email spoofing in the SAP Business Objects Business Intelligence Platform allows authenticated network users to manipulate email sending parameters without sufficient server-side validation, enabling them to craft and dispatch emails with falsified sender or header fields. Affected users require only low-privilege authentication, and exploitation is network-accessible with no additional user interaction required. No public exploit code exists and this vulnerability is not listed in CISA KEV; the CVSS score of 4.3 (Medium) accurately reflects the limited, integrity-only impact scoped to the application.

Technical ContextAI

The SAP Business Objects Business Intelligence Platform includes email delivery functionality used for report scheduling, alerts, and notifications. CWE-346 (Origin Validation Error) identifies the root cause: the application fails to adequately validate or sanitize email-related parameters - such as sender address, reply-to, or subject fields - supplied by authenticated users before passing them to the email dispatch subsystem. This class of flaw allows user-controlled input to influence message origin metadata, enabling spoofed email construction. The vulnerability is confined to the BI Platform's email feature surface; CPE data was not explicitly provided in the source intelligence, so affected build versions must be determined from SAP Security Note 3687096.

RemediationAI

Apply the patch provided by SAP as documented in SAP Security Note 3687096, available at https://me.sap.com/notes/3687096, released as part of SAP Security Patch Day. No exact fixed version number was included in the available intelligence data - administrators should consult the security note directly to identify the applicable Support Package or patch level for their installation. As a compensating control where immediate patching is not feasible, restrict the email sending feature to a minimal set of trusted users and audit email dispatch logs for anomalous sender fields. Additionally, configure the downstream mail relay to enforce sender address policies (e.g., SPF, DKIM, DMARC) so that spoofed From headers are rejected or flagged before reaching recipients - note this does not fix the root validation flaw but reduces downstream phishing impact.

Share

CVE-2026-44755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy