Description
The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application.
Published: 2026-02-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect that can lead to malicious content delivery
Action: Immediate Patch
AI Analysis

Impact

Authenticated users with high privileges on SAP BusinessObjects Business Intelligence Platform can embed arbitrary URLs in the application. When a victim clicks such a link, the system performs an unvalidated redirect to a domain controlled by the attacker, permitting delivery of malicious content. The consequence is a breach of confidentiality and integrity of the application, while availability remains unaffected.

Affected Systems

SAP BusinessObjects Business Intelligence Platform versions 2025, 2027 and 430 enterprise editions are affected. A patch is available through SAP Note 3674246 and the SAP Security Patch Day updates.

Risk and Exploitability

The vulnerability scores a CVSS of 7.3 (High) and has an EPSS of less than 1%, indicating a low probability of exploitation in the wild and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to have authenticated access with elevated privileges; the attacker then must insert a malicious link that a target user later clicks. While it does not provide remote code execution or denial‑of‑service, it facilitates phishing and can be used as a foothold for further credential or data theft.

Generated by OpenCVE AI on April 17, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP security patches for BusinessObjects Business Intelligence Platform 2025, 2027, and 430 following SAP Note 3674246.
  • Restrict the ability to create or edit URLs to users with proven administrative responsibility and enforce URL validation or removal of the redirection feature if possible.
  • Deploy or update web‑application firewalls or content‑security policies to block unvalidated redirects and monitor for unexpected redirect traffic.

Generated by OpenCVE AI on April 17, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap businessobjects Business Intelligence Platform
CPEs cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2025:*:*:*:enterprise:*:*:*
cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2027:*:*:*:enterprise:*:*:*
cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:*:*:*:enterprise:*:*:*
Vendors & Products Sap
Sap businessobjects Business Intelligence Platform

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Business Objects Business Intgelligence Platform
Vendors & Products Sap Se
Sap Se sap Business Objects Business Intgelligence Platform

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application.
Title Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Sap Businessobjects Business Intelligence Platform
Sap Se Sap Business Objects Business Intgelligence Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-26T15:04:13.877Z

Reserved: 2025-12-09T22:06:47.660Z

Link: CVE-2026-0508

cve-icon Vulnrichment

Updated: 2026-02-10T16:27:30.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:02.187

Modified: 2026-02-17T16:06:15.913

Link: CVE-2026-0508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses