Skip to main content

EUVDEUVD-2026-22142

| CVE-2026-27672 MEDIUM
Missing Authorization (CWE-862)
2026-04-14 cna@sap.com GHSA-hvjp-3x5g-4g4f
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:24 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22142
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.

AnalysisAI

Material Master application fails to enforce authorization checks for authenticated users executing reports, allowing disclosure of sensitive information to any authenticated user regardless of intended access permissions. Affects SAP Material Master with CVSS 4.3 (low severity) and confirmed authentication requirement; no active exploitation reported. Remote attackers with valid credentials can access restricted report data without additional attack complexity.

Technical ContextAI

The vulnerability stems from inadequate authorization enforcement (CWE-862: Missing Authorization) in the Material Master reporting module. The application implements authentication (verified via CVSS PR:L requirement) but omits role-based or attribute-based authorization checks when users execute report functionality. This is a classic privilege escalation scenario where authenticated sessions bypass intended access controls on report execution endpoints, allowing lateral movement to data beyond the user's assigned permissions. The Material Master component is part of the SAP ERP ecosystem, typically handling inventory, procurement, and supply chain data classified as sensitive business information.

RemediationAI

Apply the security patch released by SAP as documented in note 3703276 and the SAP Security Patch Day advisory at https://url.sap/sapsecuritypatchday. The patch adds proper authorization enforcement checks to the Material Master reporting module, ensuring authenticated users can only execute reports matching their assigned roles and permissions. As an interim mitigation, restrict report execution access to Material Master via role assignments and regularly audit access logs to detect unauthorized report execution attempts. Verify patching via SAP Solution Manager or the Configuration Validation Tool post-deployment.

Share

EUVD-2026-22142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy