CVE-2026-0509 - Vulnerability Details

- Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

Published: 2026-02-10

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Allows an authenticated, low‑privileged user to invoke background remote function calls in SAP NetWeaver Application Server ABAP against the S_RFC authorization boundary. This flaw enables the attacker to modify application data and disrupt service, constituting a high‑impact breach of integrity and availability while preserving confidentiality.

Affected Systems

SAP NetWeaver Application Server ABAP and ABAP Platform—specifically kernel versions 7.22, 7.53, 7.54, 7.77, 7.89, 7.93 and 9.16, 9.18, 9.19, along with corresponding 64‑bit non‑Nuclear and 64‑bit NUC variations—are affected.

Risk and Exploitability

Given the CVSS base score of 9.6, the exploit is evaluated as highly impactful; the EPSS score of less than 1 % suggests a very low probability of exploitation at this time, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector involves an authenticated session via SAP user credentials, with the attacker leveraging low‑privilege accounts to execute unauthorized background RFCs. The lack of confidentiality impact indicates the flaw primarily harms integrity and availability of the hosted application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP NetWeaver Application Server ABAP and ABAP Platform

unaffected

Version	Status	Constraints
`KRNL64NUC 7.22`	affected	—
`7.22EXT`	affected	—
`KRNL64UC 7.22`	affected	—
`7.53`	affected	—
`KERNEL 7.22`	affected	—
`7.54`	affected	—
`7.77`	affected	—
`7.89`	affected	—
`7.93`	affected	—
`9.16`	affected	—
`9.18`	affected	—
`9.19`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.53:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.19:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.53:::::::*

No data.

Vendor Product Confidence Versions

Sap Se

Sap Netweaver Application Server Abap And Abap Platform

—

Version	Status	Scheme	Platform
`KRNL64NUC 7.22`	affected	generic	—
`7.22EXT`	affected	generic	—
`KRNL64UC 7.22`	affected	generic	—
`7.53`	affected	generic	—
`KERNEL 7.22`	affected	generic	—
`7.54`	affected	generic	—
`7.77`	affected	generic	—
`7.89`	affected	generic	—
`7.93`	affected	generic	—
`9.16`	affected	generic	—
`9.18`	affected	generic	—
`9.19`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply SAP security patch noted in SAP Note 3674774 to update the affected ABAP kernel components.
Restrict or remove the S_RFC authorisation from low‑privileged roles, ensuring only authorised users can trigger background RFCs.
Enable comprehensive logging of RFC activity and regularly review audit trails for anomalies.

Generated by OpenCVE AI on April 17, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3674774
https://url.sap/sapsecuritypatchday

History

Tue, 17 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap netweaver As Abap Kernel Sap netweaver As Abap Krnl64nuc Sap netweaver As Abap Krnl64uc
CPEs		cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.53:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:9.19:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22ext:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.53:::::::*
Vendors & Products		Sap Sap netweaver As Abap Kernel Sap netweaver As Abap Krnl64nuc Sap netweaver As Abap Krnl64uc

Tue, 10 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Netweaver Application Server Abap And Abap Platform
Vendors & Products		Sap Se Sap Se sap Netweaver Application Server Abap And Abap Platform

Tue, 10 Feb 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.
Title		Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform
Weaknesses		CWE-862
References		https://me.sap.com/notes/3674774 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}`

Subscriptions

Sap Netweaver As Abap Kernel Netweaver As Abap Krnl64nuc Netweaver As Abap Krnl64uc

Sap Se Sap Netweaver Application Server Abap And Abap Platform

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-10T03:01:52.913Z

Updated: 2026-02-10T16:27:08.976Z

Reserved: 2025-12-09T22:06:48.421Z

Link: CVE-2026-0509

Vulnrichment

Updated: 2026-02-10T16:27:05.327Z

NVD

Status : Analyzed

Published: 2026-02-10T04:16:02.357

Modified: 2026-02-17T16:04:59.500

Link: CVE-2026-0509

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object