CVE-2026-27673

MEDIUM

Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise)

Title source: cna

Description

Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.

References (2)

https://me.sap.com/notes/3703813

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 4.9

EPSS 0.0003

EPSS Percentile 10.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (9)

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 106

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 107

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 108

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 109

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 616

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 617

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) 618

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) FI-CA 606

SAP_SE/SAP S/4HANA (Private Cloud and On-Premise) S4CORE 105

Published Apr 14, 2026

Tracked Since Apr 14, 2026