Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.
AnalysisAI
Authenticated remote attackers can overwrite eight-character executable ABAP reports in SAP ERP and SAP S/4HANA systems due to missing authorization checks, enabling denial-of-service conditions when legitimate users execute corrupted reports. This authorization bypass (CWE-862) requires low-privilege authenticated access (CVSS PR:L) and has low attack complexity, combining limited integrity impact with high availability impact (CVSS 7.1). EPSS data not provided; no public exploit identified at time of analysis. Affects SAP ERP and SAP S/4HANA Private Cloud and On-Premise deployments.
Technical ContextAI
This vulnerability affects SAP's ABAP (Advanced Business Application Programming) runtime environment within SAP ERP and SAP S/4HANA systems. The affected product per CPE identifier is SAP ERP and SAP S/4HANA (Private Cloud and On-Premise) deployments. The root cause is CWE-862 (Missing Authorization), where a specific ABAP report execution function fails to verify whether the authenticated user has proper authorization to modify executable reports. ABAP reports are executable programs within SAP systems that perform business logic, data processing, and system operations. The vulnerability specifically targets reports with eight-character names, a common naming convention in classic ABAP development. The missing authorization check allows privilege escalation where low-privileged users can perform administrative-level modifications to executable code objects without proper security clearance.
RemediationAI
Apply the security patch provided in SAP Security Note 3731908, accessible through the SAP Support Portal at https://me.sap/notes/3731908. The exact patched version numbers are not specified in available data; consult the security note directly for version-specific patch levels for your SAP ERP or S/4HANA deployment. As an interim workaround, implement compensating controls including enhanced monitoring of ABAP report modifications, restricting execution permissions for the vulnerable report to trusted users only, and implementing transaction-level authorization reviews to ensure low-privilege users cannot access report modification functions. Review SAP authorization objects related to ABAP development (such as S_DEVELOP) and restrict them to authorized developers only. Monitor the official SAP Security Patch Day communications at https://url.sap/sapsecuritypatchday for updates and additional remediation guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22166