CVE-2026-24318

MEDIUM

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Title source: cna

Description

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.

References (2)

Core 2

Core References

https://me.sap.com/notes/3702191

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 4.2

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-539

Status published

Products (3)

SAP_SE/SAP BusinessObjects Business Intelligence Platform 2025

SAP_SE/SAP BusinessObjects Business Intelligence Platform 2027

SAP_SE/SAP BusinessObjects Business Intelligence Platform ENTERPRISE 430

Published Apr 14, 2026

Tracked Since Apr 14, 2026