CVE-2026-0484 - Vulnerability Details

- Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA

Description

Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability.

Published: 2026-02-10

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA allows an authenticated attacker to access a specific transaction code and change text data stored in the system. The flaw does not expose sensitive information or disrupt system availability, but it directly alters application integrity, potentially corrupting business records.

Affected Systems

The vulnerability affects SAP NetWeaver Basis releases 7.0 through 8.16, which include SAP NetWeaver Application Server ABAP and SAP S/4HANA. Any installation of these components that has not applied the defined fix is potentially exposed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high risk, and the EPSS score of less than 1% suggests exploitation is unlikely but not impossible. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires a valid authenticated session, so it is typically confined to internal users who have sufficient privileges to execute the vulnerable transaction. Once accessed, the attacker can modify application data, which may lead to downstream processing errors or false reporting.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP NetWeaver Application Server ABAP and SAP S/4HANA

unaffected

Version	Status	Constraints
`SAP_BASIS 700`	affected	—
`SAP_BASIS 701`	affected	—
`SAP_BASIS 702`	affected	—
`SAP_BASIS 731`	affected	—
`SAP_BASIS 740`	affected	—
`SAP_BASIS 750`	affected	—
`SAP_BASIS 751`	affected	—
`SAP_BASIS 752`	affected	—
`SAP_BASIS 753`	affected	—
`SAP_BASIS 754`	affected	—
`SAP_BASIS 755`	affected	—
`SAP_BASIS 756`	affected	—
`SAP_BASIS 757`	affected	—
`SAP_BASIS 758`	affected	—
`SAP_BASIS 816`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:sap_basis:700:::::::*
	cpe:2.3:a:sap:sap_basis:701:::::::*
	cpe:2.3:a:sap:sap_basis:702:::::::*
	cpe:2.3:a:sap:sap_basis:731:::::::*
	cpe:2.3:a:sap:sap_basis:740:::::::*
	cpe:2.3:a:sap:sap_basis:750:::::::*
	cpe:2.3:a:sap:sap_basis:751:::::::*
	cpe:2.3:a:sap:sap_basis:752:::::::*
	cpe:2.3:a:sap:sap_basis:753:::::::*
	cpe:2.3:a:sap:sap_basis:754:::::::*
	cpe:2.3:a:sap:sap_basis:755:::::::*
	cpe:2.3:a:sap:sap_basis:756:::::::*
	cpe:2.3:a:sap:sap_basis:757:::::::*
	cpe:2.3:a:sap:sap_basis:758:::::::*
	cpe:2.3:a:sap:sap_basis:816:::::::*

No data.

Vendor Product Confidence Versions

Sap Se

Sap Netweaver Application Server Abap And Sap S/4hana

—

Version	Status	Scheme	Platform
`SAP_BASIS 700`	affected	generic	—
`SAP_BASIS 701`	affected	generic	—
`SAP_BASIS 702`	affected	generic	—
`SAP_BASIS 731`	affected	generic	—
`SAP_BASIS 740`	affected	generic	—
`SAP_BASIS 750`	affected	generic	—
`SAP_BASIS 751`	affected	generic	—
`SAP_BASIS 752`	affected	generic	—
`SAP_BASIS 753`	affected	generic	—
`SAP_BASIS 754`	affected	generic	—
`SAP_BASIS 755`	affected	generic	—
`SAP_BASIS 756`	affected	generic	—
`SAP_BASIS 757`	affected	generic	—
`SAP_BASIS 758`	affected	generic	—
`SAP_BASIS 816`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the SAP security patch provided in SAP Note 3672622 to restore the missing authorization check on the vulnerable transaction code.
Restrict the transaction code to only those roles that truly require it, thereby limiting potential abuse until the patch is deployed.
Implement monitoring of audit logs for changes to text data and conduct regular integrity checks to detect any unauthorized modifications post‑patch.

Generated by OpenCVE AI on April 18, 2026 at 12:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3672622
https://url.sap/sapsecuritypatchday

History

Tue, 17 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap sap Basis
Weaknesses		CWE-862
CPEs		cpe:2.3:a:sap:sap_basis:700:::::::* cpe:2.3:a:sap:sap_basis:701:::::::* cpe:2.3:a:sap:sap_basis:702:::::::* cpe:2.3:a:sap:sap_basis:731:::::::* cpe:2.3:a:sap:sap_basis:740:::::::* cpe:2.3:a:sap:sap_basis:750:::::::* cpe:2.3:a:sap:sap_basis:751:::::::* cpe:2.3:a:sap:sap_basis:752:::::::* cpe:2.3:a:sap:sap_basis:753:::::::* cpe:2.3:a:sap:sap_basis:754:::::::* cpe:2.3:a:sap:sap_basis:755:::::::* cpe:2.3:a:sap:sap_basis:756:::::::* cpe:2.3:a:sap:sap_basis:757:::::::* cpe:2.3:a:sap:sap_basis:758:::::::* cpe:2.3:a:sap:sap_basis:816:::::::*
Vendors & Products		Sap Sap sap Basis

Tue, 10 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Netweaver Application Server Abap And Sap S/4hana
Vendors & Products		Sap Se Sap Se sap Netweaver Application Server Abap And Sap S/4hana

Tue, 10 Feb 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability.
Title		Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA
Weaknesses		CWE-601
References		https://me.sap.com/notes/3672622 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Sap Sap Basis

Sap Se Sap Netweaver Application Server Abap And Sap S/4hana

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-10T03:00:41.098Z

Updated: 2026-02-10T20:18:52.296Z

Reserved: 2025-12-09T22:05:48.244Z

Link: CVE-2026-0484

Vulnrichment

Updated: 2026-02-10T20:18:49.647Z

NVD

Status : Analyzed

Published: 2026-02-10T04:16:00.947

Modified: 2026-02-17T16:12:08.050

Link: CVE-2026-0484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object