Description
Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.
Published: 2026-01-13
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Limited disclosure or modification of data
Action: Assess Impact
AI Analysis

Impact

The SAP Identity Management REST interface contains insufficient input handling that allows an authenticated administrator to send specially crafted malicious REST requests. These requests are processed by JNDI operations without adequate input neutralization, potentially enabling the attacker to disclose or modify data, leading to low impact on confidentiality and integrity and no impact on availability.

Affected Systems

SAP, product SAP Identity Management, with no specific version information available in the CNA data.

Risk and Exploitability

The vulnerability scores a CVSS of 3.8, indicating low severity, and an EPSS score of less than 1%, reflecting a very low probability of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated administrator, a high‐privilege role, which limits its reach. The overall risk remains low but should be monitored.

Generated by OpenCVE AI on April 18, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP Security Note 3657998 or the corresponding SAP Security Patch Day update to address the input handling flaw.
  • Restrict administrative access to the REST interface and enforce least privilege so that only trusted accounts can send requests that trigger JNDI operations.
  • Implement input validation and sanitization for REST parameters that influence JNDI to neutralize malicious content, following the CWE‑943 mitigation guidance.

Generated by OpenCVE AI on April 18, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap identity Management
Vendors & Products Sap
Sap identity Management

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.
Title Insufficient Input Handling in JNDI Operations of SAP Identity Management
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Sap Identity Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T19:06:11.135Z

Reserved: 2025-12-09T22:06:44.481Z

Link: CVE-2026-0504

cve-icon Vulnrichment

Updated: 2026-01-13T19:05:57.563Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:53.110

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses