CVE-2026-40133

MEDIUM

Missing Authorization check in SAP S/4HANA Condition Maintenance

Title source: cna

Description

Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.

References (2)

Core 2

Core References

https://me.sap.com/notes/3718083

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 6.3

EPSS 0.0001

EPSS Percentile 3.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (8)

SAP_SE/SAP S/4HANA Condition Maintenance 103

SAP_SE/SAP S/4HANA Condition Maintenance 104

SAP_SE/SAP S/4HANA Condition Maintenance 105

SAP_SE/SAP S/4HANA Condition Maintenance 106

SAP_SE/SAP S/4HANA Condition Maintenance 107

SAP_SE/SAP S/4HANA Condition Maintenance 108

SAP_SE/SAP S/4HANA Condition Maintenance 109

SAP_SE/SAP S/4HANA Condition Maintenance S4CORE 102

Published May 12, 2026

Tracked Since May 12, 2026