Description
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.
Published: 2026-01-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Low integrity impact via Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

A Cross‑Site Request Forgery (CSRF) vulnerability in the SAP Fiori App Intercompany Balance Reconciliation allows an attacker to perform state‑changing operations on behalf of an authenticated user if an inappropriate request type is used. The deviation from expected request semantics could trigger unintended actions, leading to a low‑level impact on the integrity of the system while leaving confidentiality and availability untouched.

Affected Systems

SAP SE – SAP Fiori App Intercompany Balance Reconciliation. No specific impacted versions are listed in the CNA data, so all released versions of the app should be examined.

Risk and Exploitability

The CVSS score of 4.3 reflects the low impact and limited exploitation potential. The EPSS score of less than 1% indicates a very low probability of real‑world exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. Despite the low risk, exploitation would typically occur through a crafted web request sent from the victim’s browser, leveraging the user’s authenticated session. No explicit prerequisites beyond a valid session are disclosed, so the attack vector is presumed to be a typical web‑based CSRF scenario.

Generated by OpenCVE AI on April 18, 2026 at 06:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch referenced in SAP Note 3655229.
  • Apply any additional updates outlined in SAP Security Patch Day documentation.
  • Verify that CSRF protection remains active for all state‑changing requests in the application.

Generated by OpenCVE AI on April 18, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap fiori
Vendors & Products Sap
Sap fiori

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.
Title Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Sap Fiori
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T19:07:00.934Z

Reserved: 2025-12-09T22:06:35.874Z

Link: CVE-2026-0493

cve-icon Vulnrichment

Updated: 2026-01-13T14:12:51.457Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:51.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses