Description
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
Published: 2026-01-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Phishing via arbitrary email sending
Action: Patch
AI Analysis

Impact

The SAP Fiori App for Intercompany Balance Reconciliation allows high‑privileged users to upload files and send them to any email address that the application can reach, effectively turning the application into a tool for delivering malicious content or phishing messages. Although the reported impact on confidentiality, integrity and availability is low, the ability to produce deceptive attachments or credentials constitutes a significant threat. The flaw is a case of improper authorization (CWE‑15) that lets privileged users bypass normal email sending restrictions.

Affected Systems

The vulnerability affects the SAP Fiori App for Intercompany Balance Reconciliation from SAP SE. No specific product versions are listed, so any current deployment of this application may be vulnerable until an official update or patch is applied.

Risk and Exploitability

With a CVSS score of 5.1 and an EPSS score of less than 1 %, the risk level is moderate and the likelihood of exploitation is low but not zero. The CVE is not listed in the CISA Knowledge Exploited Vulnerabilities catalog, and no publicly known exploits are reported. Because the attack requires high‑privilege access to the Fiori application, it represents an internal attack vector; attackers could use the exposed file‑upload feature to send arbitrary attachments to arbitrary email addresses, enabling phishing campaigns against internal or external recipients.

Generated by OpenCVE AI on April 18, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest SAP security update or technical note that resolves the file upload email sending flaw.
  • Restrict high‑privilege user accounts to the minimal required permissions for the Fiori App, reducing the ability to abuse the upload feature.
  • Configure email monitoring tools to detect and flag suspicious attachments sent from the Fiori App to identify potential phishing campaigns.

Generated by OpenCVE AI on April 18, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap fiori
Vendors & Products Sap
Sap fiori

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
Title Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Weaknesses CWE-15
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Sap Fiori
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T15:15:41.236Z

Reserved: 2025-12-09T22:06:37.539Z

Link: CVE-2026-0495

cve-icon Vulnrichment

Updated: 2026-01-13T15:15:38.575Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:51.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses