Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Network-reachable, low-complexity, unauthenticated open redirect in the OAuth2 flow requiring a victim click (UI:R); token/code theft yields high C and I, no availability impact.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results in a high impact to the confidentiality and integrity with no impact on the availability of the application.
AnalysisAI
Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that SAP Approuter be running in one of the vulnerable 'certain configurations' of the OAuth2 login flow where incoming request headers are not validated - i.e., the OAuth2/XSUAA-backed login path must be enabled and reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (8.1, High) describes a network-reachable, low-complexity, unauthenticated attack whose single gating factor is user interaction - the victim must click the malicious link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a link to a legitimate SAP Approuter-fronted application that embeds manipulated headers/parameters influencing the OAuth2 redirect, then delivers it to a targeted user via phishing email or chat. When the authenticated victim clicks the link and completes the OAuth2 login, Approuter redirects the flow (or leaks the authorization code) to an attacker-controlled destination, letting the attacker obtain unauthorized access to the application with the victim's context. … |
| Remediation | Patch available per vendor advisory: apply the fix described in SAP Security Note 3741519 (https://me.sap.com/notes/3741519) and cross-check the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday) for the exact patched Approuter release, then upgrade the @sap/approuter dependency to that version; the note lists the specific fixed version, which is not reproduced in the input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all SAP Approuter instances in your environment and assess which business applications depend on them; notify application owners, security teams, and BTP platform administrators of the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43585
GHSA-44p5-3m5g-vfhj