Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible OData endpoint requires low-privilege authentication; impact is read-only limited disclosure with no integrity or availability effect.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the application.
AnalysisAI
Missing authorization in SAP S/4HANA's Create Single Payment function exposes restricted entity set keys to authenticated but low-privileged users. The flaw (CWE-862) allows a restricted user to query specific payment-related entity sets beyond their intended access scope, resulting in low-impact confidentiality leakage with no effect on data integrity or system availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated session in the affected SAP S/4HANA system - specifically, a user account with at least restricted (low-privilege) access (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) scores 4.3 (Medium), reflecting network exploitability with low complexity but a mandatory authentication prerequisite (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated SAP user with a restricted profile logs into the SAP S/4HANA Fiori or OData interface and crafts a direct GET request targeting the Create Single Payment entity set endpoint using keys outside their authorized scope. Because no authorization check intercepts the request, the application returns the payment-related entity data, exposing sensitive financial records to the restricted user. … |
| Remediation | Apply the fix documented in SAP Security Note 3713902, available via the SAP Support Portal at https://me.sap.com/notes/3713902, released as part of SAP Security Patch Day (https://url.sap/sapsecuritypatchday). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43594
GHSA-4573-8946-684p