CVE-2026-0491 - Vulnerability Details

- Code Injection vulnerability in SAP Landscape Transformation

Description

SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

Published: 2026-01-13

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in SAP Landscape Transformation, allowing an attacker with administrative rights to leverage a remote function module exposed via RFC to inject arbitrary ABAP code and operating system commands. The flaw bypasses essential authorization checks, effectively creating a backdoor. As described, an attacker could execute code with system privileges, resulting in loss of confidentiality, integrity, and availability. The weakness is a classic code injection flaw as identified by CWE-94.

Affected Systems

SAP Landscape Transformation from SAP SE is affected. No version details were supplied, but the issue applies to all deployments configured to allow RFC access to the function module used for landscape transformations.

Risk and Exploitability

The CVSS score of 9.1 categorizes the issue as critical. The EPSS score of less than 1% indicates that exploitation is not currently widespread, but the presence of a backdoor means the risk is high if an attacker gains the necessary administrative privileges. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires access to the RFC interface and administrative credentials; once achieved, the attacker can execute arbitrary code on the host system. Given the severity and the potential for complete system takeover, organizations should treat this as a critical priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP Landscape Transformation

unaffected

Version	Status	Constraints
`DMIS 2011_1_700`	affected	—
`2011_1_710`	affected	—
`2011_1_730`	affected	—
`2011_1_731`	affected	—
`2018_1_752`	affected	—
`2020`	affected	—

No data.

Vendor	Product	Confidence	Versions
Sap	Landscape Transformation	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply SAP Security Patch as referenced in SAP note 3697979
Restrict the Landscape Transformation RFC function module to trusted hosts and minimal user groups, ensuring only authorized users can invoke it
Audit system logs for unexpected ABAP code execution or OS command activity and investigate anomalies

Generated by OpenCVE AI on April 18, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00065.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://me.sap.com/notes/3697979
https://url.sap/sapsecuritypatchday

History

Tue, 13 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap landscape Transformation
Vendors & Products		Sap Sap landscape Transformation

Tue, 13 Jan 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
Title		Code Injection vulnerability in SAP Landscape Transformation
Weaknesses		CWE-94
References		https://me.sap.com/notes/3697979 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Sap Landscape Transformation

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-01-13T01:12:53.331Z

Updated: 2026-02-26T15:04:49.849Z

Reserved: 2025-12-09T22:06:34.263Z

Link: CVE-2026-0491

Vulnrichment

Updated: 2026-01-13T16:20:55.965Z

NVD

Status : Deferred

Published: 2026-01-13T02:15:50.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0491

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object