Description
Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.
Published: 2026-01-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

SAP Fiori App (Intercompany Balance Reconciliation) provides an information disclosure flaw that lets a compromised user read data that should have been restricted. The impact is primarily a modest loss of confidentiality; the flaw does not alter the system’s integrity or availability and is classified as low severity with a CVSS score of 4.3.

Affected Systems

The vulnerability affects the SAP Fiori App (Intercompany Balance Reconciliation) component of SAP, with no specific version information listed. Users running this application should verify whether the installed build is susceptible.

Risk and Exploitability

With an EPSS score below 1% and no listing in the CISA KEV catalog, the likelihood of immediate exploitation is low. The attack vector is inferred to arise from within the application layer, potentially by users who gain access to the Fiori app under certain conditions. Because the flaw does not grant elevated privileges or disrupt services, it is less attractive for large‑scale attacks but could still compromise sensitive data if exploited.

Generated by OpenCVE AI on April 18, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security update identified by Note 3655227, which addresses this information disclosure in the Fiori App (Intercompany Balance Reconciliation).
  • Enforce strict access controls on the application by ensuring that only users with the appropriate roles can access intercompany balance data and by removing unnecessary permissions.
  • Continuously monitor audit trails for unusual attempts to view restricted information and respond promptly to any detected anomalies.

Generated by OpenCVE AI on April 18, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap fiori
Vendors & Products Sap
Sap fiori

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.
Title Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sap Fiori
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T16:19:32.833Z

Reserved: 2025-12-09T22:06:36.684Z

Link: CVE-2026-0494

cve-icon Vulnrichment

Updated: 2026-01-13T16:19:29.880Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:51.667

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses