Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
SAP S/4HANA(On-Premise) contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access to. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application.
AnalysisAI
SQL injection in SAP S/4HANA (On-Premise) exposes sensitive ERP database content to authenticated network attackers via a vulnerable remote-enabled function module. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only a low-privilege SAP user account, with high confidentiality impact and no effect on data integrity or system availability. No public exploit or CISA KEV listing has been identified at time of analysis; SAP has issued a security note addressing the issue.
Technical ContextAI
CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) identifies the root cause as insufficient sanitization of user-supplied input before incorporation into database queries. In SAP S/4HANA On-Premise, the ABAP application server exposes remote-enabled function modules (RFC-enabled FMs) that are callable over the network via SAP's RFC or HTTP/SOAP interfaces. When such a module constructs Open SQL or Native SQL statements using unsanitized caller-supplied parameters, an attacker can inject arbitrary SQL fragments and manipulate the query logic. No CPE strings were provided in the source data, so the precise affected component identifier cannot be cited; SAP Security Note 3751691 is the authoritative source for affected release and component details.
RemediationAI
Apply SAP Security Note 3751691, available via the SAP Support Portal at https://me.sap.com/notes/3751691, released as part of SAP Security Patch Day (https://url.sap/sapsecuritypatchday). The exact patched version or transport number is not independently confirmed from available data - consult the note directly for the applicable correction transport and supported release matrix. As a compensating control pending patching, restrict authorization to invoke the vulnerable remote-enabled function module by tightening the relevant SAP authorization objects (S_RFC or equivalent) so that only explicitly required users or roles retain remote-call rights; note that overly broad restrictions on RFC authorization can break legitimate integrations and workflows, so an impact analysis is recommended before applying access changes. Additionally, review SAP Gateway and RFC security settings to limit which systems and users can initiate external RFC calls to the application server.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35281
GHSA-wxg7-5pqj-jxrf