CVE-2026-0504

LOW

SAP Identity Management - Info Disclosure

Title source: llm

Description

Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.

References (2)

[Vendor Advisory] https://me.sap.com/notes/3657998

[Vendor Advisory] https://url.sap/sapsecuritypatchday

Scores

CVSS v3 3.8

EPSS 0.0004

EPSS Percentile 11.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-943

Status published

Products (2)

SAP_SE/SAP Identity Management IDMIC 8.0

SAP_SE/SAP Identity Management IDM_CLM_REST_API 8.0

Published Jan 13, 2026

Tracked Since Feb 18, 2026