CVE-2026-40132

MEDIUM

Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)

Title source: cna

Description

Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the application�s availability.

References (2)

Core 2

Core References

https://me.sap.com/notes/3721959

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (8)

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 700

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 736

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 746

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 747

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 748

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 749

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) 800

SAP_SE/SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) SEM-BW 605

Published May 12, 2026

Tracked Since May 12, 2026