Skip to main content

SAP Gateway EUVDEUVD-2026-31933

| CVE-2026-44749 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-05-26 sap GHSA-53r4-mvj6-w855
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:28 vuln.today

DescriptionCVE.org

The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected.

AnalysisAI

Content injection into SAP Gateway error messages exposes internal implementation details - specifically regex patterns and URI parsing logic - to authenticated remote attackers. Affecting SAP Gateway versions 750 through 758 and SAP_BASIS 795, the flaw allows an attacker with low-level network credentials to craft inputs that surface sensitive system internals via error responses. Confidentiality impact is rated low; integrity and availability are unaffected. No active exploitation is confirmed (CISA KEV absent), and EPSS sits at 0.01%, consistent with SSVC's 'exploitation: none' assessment.

Technical ContextAI

SAP Gateway is the OData and RFC-based integration layer within SAP's NetWeaver stack, responsible for routing and processing API requests between SAP backends and external consumers. The root cause is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere): the Gateway does not sanitize or neutralize attacker-controlled input before embedding it in error message output. This allows injected content to interact with or surface the internal URI parsing logic and regex patterns used by the Gateway's request processing pipeline. CPE data confirms affected components as cpe:2.3:a:sap_se:sap_gateway:*:*:*:*:*:*:*:*, spanning both the GWFND 750 basis foundation layer and the higher SAP_BASIS 795 stack. Leaking regex and routing patterns is meaningful in SAP environments because it can inform bypass attempts against input validation or access control logic in subsequent exploitation steps.

RemediationAI

The primary remediation is to apply the patch published by SAP via Security Note 3433366 (https://me.sap.com/notes/3433366), released as part of SAP Security Patch Day. The exact patched version number is not independently confirmed from the available data - organizations must consult the SAP Note directly via SAP Support Portal to identify the specific support package or kernel patch level required for their basis version. As a compensating control pending patching, restrict network access to SAP Gateway endpoints to trusted internal IP ranges or authenticated VPN users only, reducing the pool of potential PR:L authenticated users who could trigger the injection. Additionally, review and tighten SAP Gateway authorization objects (e.g., /IWFND/* and /IWBEP/* auth objects) to enforce least-privilege access, limiting who can send requests to error-triggering endpoints. Note that these controls reduce exposure but do not eliminate the vulnerability - patching remains the definitive fix.

Share

EUVD-2026-31933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy