Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected.
AnalysisAI
Content injection into SAP Gateway error messages exposes internal implementation details - specifically regex patterns and URI parsing logic - to authenticated remote attackers. Affecting SAP Gateway versions 750 through 758 and SAP_BASIS 795, the flaw allows an attacker with low-level network credentials to craft inputs that surface sensitive system internals via error responses. Confidentiality impact is rated low; integrity and availability are unaffected. No active exploitation is confirmed (CISA KEV absent), and EPSS sits at 0.01%, consistent with SSVC's 'exploitation: none' assessment.
Technical ContextAI
SAP Gateway is the OData and RFC-based integration layer within SAP's NetWeaver stack, responsible for routing and processing API requests between SAP backends and external consumers. The root cause is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere): the Gateway does not sanitize or neutralize attacker-controlled input before embedding it in error message output. This allows injected content to interact with or surface the internal URI parsing logic and regex patterns used by the Gateway's request processing pipeline. CPE data confirms affected components as cpe:2.3:a:sap_se:sap_gateway:*:*:*:*:*:*:*:*, spanning both the GWFND 750 basis foundation layer and the higher SAP_BASIS 795 stack. Leaking regex and routing patterns is meaningful in SAP environments because it can inform bypass attempts against input validation or access control logic in subsequent exploitation steps.
RemediationAI
The primary remediation is to apply the patch published by SAP via Security Note 3433366 (https://me.sap.com/notes/3433366), released as part of SAP Security Patch Day. The exact patched version number is not independently confirmed from the available data - organizations must consult the SAP Note directly via SAP Support Portal to identify the specific support package or kernel patch level required for their basis version. As a compensating control pending patching, restrict network access to SAP Gateway endpoints to trusted internal IP ranges or authenticated VPN users only, reducing the pool of potential PR:L authenticated users who could trigger the injection. Additionally, review and tighten SAP Gateway authorization objects (e.g., /IWFND/* and /IWBEP/* auth objects) to enforce least-privilege access, limiting who can send requests to error-triggering endpoints. Note that these controls reduce exposure but do not eliminate the vulnerability - patching remains the definitive fix.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31933
GHSA-53r4-mvj6-w855