CVE-2026-34256

HIGH

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Title source: cna

Description

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

References (2)

https://me.sap.com/notes/3731908

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 7.1

EPSS 0.0004

EPSS Percentile 12.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (20)

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 103

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 104

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 105

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 106

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 107

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 108

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 109

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 602

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 603

SAP_SE/SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 604

... and 10 more

Published Apr 14, 2026

Tracked Since Apr 14, 2026