Description
In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact on confidentiality. Integrity and availability are not impacted.
Published: 2026-02-10
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The flaw lies in ABAP based SAP systems where a remotely enabled function module omits required authorization checks for an authenticated user, allowing disclosure of system information. The vulnerability has a low confidentiality impact and does not affect integrity or availability.

Affected Systems

Affected installations include ABAP based SAP systems that use the Solution Tools plug‑in packages 2005_1_700, 2008_1_710, 740, and 758. Version details are not specified in the advisory, so any deployment of these plugins may be vulnerable.

Risk and Exploitability

The CVSS base score of 5 indicates medium severity, while the EPSS score of less than 1% suggests limited exploitation likelihood. The vulnerability is not listed in CISA KEV. The likely attack scenario involves a user who has authenticated to the SAP environment and can invoke the function module through the SAP interface, thereby retrieving restricted system data. Since integrity and availability remain unaffected, the predominant risk is controlled information leakage to authenticated accounts.

Generated by OpenCVE AI on April 18, 2026 at 12:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP Note 3691645 patch to insert the missing authorization checks in the vulnerable function module.
  • If a custom implementation exists or the patch does not cover the specific function module, add explicit authorization object checks to enforce proper access control.
  • Restrict the execution of the function module by assigning it only to trusted roles and limiting role memberships.

Generated by OpenCVE AI on April 18, 2026 at 12:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap solution Tools Plug-in
CPEs cpe:2.3:a:sap:solution_tools_plug-in:2005_1_700:*:*:*:*:*:*:*
cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:*:*:*:*:*:*:*
cpe:2.3:a:sap:solution_tools_plug-in:740:*:*:*:*:*:*:*
cpe:2.3:a:sap:solution_tools_plug-in:758:*:*:*:*:*:*:*
Vendors & Products Sap
Sap solution Tools Plug-in

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se abap Based Sap Systems
Vendors & Products Sap Se
Sap Se abap Based Sap Systems

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact on confidentiality. Integrity and availability are not impacted.
Title Missing Authorization Check in ABAP based SAP systems
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Sap Solution Tools Plug-in
Sap Se Abap Based Sap Systems
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T15:45:30.862Z

Reserved: 2025-12-09T22:06:30.443Z

Link: CVE-2026-0486

cve-icon Vulnrichment

Updated: 2026-02-10T15:45:21.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:01.550

Modified: 2026-02-17T16:11:29.140

Link: CVE-2026-0486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses