Description
Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.
Published: 2026-01-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Integrity and Availability Impact
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check in the SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker to misuse an RFC function to execute form routines (FORMs). Successful exploitation could enable the attacker to write or modify data that is otherwise protected by the form routines and to invoke additional system functionality exposed through these routines, creating a high impact on data integrity and availability while leaving confidentiality largely unaffected.

Affected Systems

SAP NetWeaver Application Server ABAP and ABAP Platform across the following Release numbers: 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, and 816. The vulnerability is documented against the SAP Basis component of these products.

Risk and Exploitability

The issue carries a CVSS score of 8.1, indicating a high severity. The EPSS score is below 1%, reflecting a low probability of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be online via an authenticated user with access to the vulnerable RFC function; success requires internal authentication or compromise of legitimate user credentials.

Generated by OpenCVE AI on April 18, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP NetWeaver Application Server ABAP and ABAP Platform security fix described in SAP note 3688703.
  • Restrict the vulnerable RFC function so that only authorized administrators can invoke it, ensuring that routine execution is tied to proper authorization checks.
  • Enable detailed RFC logging and monitor for anomalous or unauthorized calls to the vulnerable function to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap netweaver Application Server Abap
CPEs cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:816:*:*:*:sap_basis:*:*:*
Vendors & Products Sap netweaver Application Server Abap

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap abap Platform
Sap application Server
Sap netweaver
Sap netweaver Abap
Sap netweaver Abap Application Server
Vendors & Products Sap
Sap abap Platform
Sap application Server
Sap netweaver
Sap netweaver Abap
Sap netweaver Abap Application Server

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.
Title Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Sap Abap Platform Application Server Netweaver Netweaver Abap Netweaver Abap Application Server Netweaver Application Server Abap
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T18:58:20.906Z

Reserved: 2025-12-09T22:06:46.070Z

Link: CVE-2026-0506

cve-icon Vulnrichment

Updated: 2026-01-13T18:57:59.487Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T02:15:53.277

Modified: 2026-01-22T18:48:00.860

Link: CVE-2026-0506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses