Description
The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.
Published: 2026-01-13
Score: 3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Partial data disclosure through obsolete encryption
Action: Patch
AI Analysis

Impact

The User Management Engine in SAP NetWeaver Application Server for Java uses an outdated cryptographic algorithm to encrypt user mapping data, a weakness classified as improper encryption strength. This flaw can permit an attacker with elevated privileges, preferably those with local or otherwise high-level access, to partially reveal encrypted data. Consequently, confidentiality is at risk, while integrity and availability remain unaffected.

Affected Systems

This vulnerability affects the SAP NetWeaver Application Server for Java (NW AS Java) component known as User Mapping (UME). All versions of this product that rely on the specified old encryption algorithm are impacted; specific version information is not provided in the advisory.

Risk and Exploitability

The CVSS score of 3 indicates low severity, and the EPSS score of less than one percent suggests a very low probability of exploitation in the wild. The weakness is not listed in the CISA KEV catalog. Exploitation requires high-privileged access, making the attack vector likely internal or through compromised administrative accounts, rather than remote.

Generated by OpenCVE AI on April 18, 2026 at 06:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP Note 3593356 updates that replace the obsolete encryption algorithm in NW AS Java UME.
  • Reconfigure UME to use a secure, modern encryption algorithm and ensure the configuration is enforced.
  • Reduce the privileges of accounts with access to UME, and monitor for unusual activity.

Generated by OpenCVE AI on April 18, 2026 at 06:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap java As
Vendors & Products Sap
Sap java As

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.
Title Obsolete Encryption Algorithm Used in NW AS Java UME User Mapping
Weaknesses CWE-326
References
Metrics cvssV3_1

{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Sap Java As
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T18:26:48.509Z

Reserved: 2025-12-09T22:06:49.250Z

Link: CVE-2026-0510

cve-icon Vulnrichment

Updated: 2026-01-13T18:19:19.054Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:53.597

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses