Skip to main content

SAP Strategic Enterprise Management EUVDEUVD-2026-29362

| CVE-2026-40132 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 sap GHSA-j2qh-793j-f8hc
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:21 nvd
MEDIUM 5.4

DescriptionCVE.org

Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the application�s availability.

AnalysisAI

Missing authorization checks in SAP Strategic Enterprise Management's Scorecard Wizard (Business Server Pages application) allow authenticated users to access restricted information and modify risk evaluation settings without proper authorization. An attacker with valid credentials can view confidential data and alter default configuration values, artificially reducing assessed risk levels to deceive risk assessment processes. No patch availability or active exploitation has been confirmed.

Technical ContextAI

SAP Strategic Enterprise Management (SEM) is an enterprise software platform for financial consolidation, planning, and risk management. The vulnerability exists in the Scorecard Wizard component, a Business Server Pages (BSP) application within SEM's balanced scorecard functionality. BSP is SAP's proprietary web application technology built on top of the ABAP runtime environment. The root cause is CWE-862 (Missing Authorization), indicating the application fails to enforce proper access control checks before allowing users to retrieve sensitive information or modify configuration parameters. The vulnerability affects all versions of the affected CPE string, suggesting a systemic authorization gap rather than a version-specific flaw.

RemediationAI

Contact SAP Support immediately and consult SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and SAP Note 3721959 (https://me.sap.com/notes/3721959) for the appropriate patched SEM version for your deployment. No specific patch version number is confirmed in available data at time of analysis. As interim compensating controls pending patch deployment, restrict access to the Scorecard Wizard component at the network level using firewall or reverse proxy rules to limit exposure to only authorized personnel; audit access logs for unauthorized attempts to view or modify scorecard settings; and implement role-based access control (RBAC) segregation to ensure users cannot access scorecard data outside their assigned business unit or function. These controls do not remediate the underlying authorization flaw but reduce exposure window. Request SAP for specific ABAP role restrictions or BSP URL path exclusions applicable to your SEM version.

Share

EUVD-2026-29362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy