Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.
AnalysisAI
Missing authorization checks in SAP Business Analytics and SAP Content Management allow authenticated users to invoke unauthorized remote function module calls, enabling confidential data access beyond their assigned permissions. The vulnerability affects all versions of the product and carries a CVSS score of 6.5 with confirmed high confidentiality impact. No public exploit code or active exploitation has been reported at time of analysis.
Technical ContextAI
This vulnerability stems from inadequate authorization validation (CWE-862: Missing Authorization) in SAP's remote function call (RFC) handling mechanisms. SAP Business Analytics and SAP Content Management utilize RFC interfaces to enable inter-system communication and modular function invocation. The missing authorization check fails to properly validate whether an authenticated user possesses sufficient privileges to execute specific remote function modules before processing the request. While authentication is performed (confirming user identity), the subsequent authorization layer (verifying user permissions against callable modules) is absent or improperly enforced. This allows an authenticated attacker to escalate their functional access without elevated credentials, potentially reading sensitive business data, analytics metadata, or content repository information that should be restricted by role-based access control.
RemediationAI
SAP has released security patches addressing the missing authorization check. Organizations must apply the vendor-released patch via SAP Security Patch Day updates; exact patched versions should be obtained from SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and SAP Note 3705094 (https://me.sap.com/notes/3705094). As interim mitigation pending patch deployment, restrict network access to remote function module endpoints via firewall or VPN controls, implement additional application-level authorization logging to detect unauthorized RFC calls, and audit user permissions for sensitive function modules to identify overprivileged accounts. Review RFC destination configurations and user role assignments to ensure least-privilege access control aligns with business requirements.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22170