Description
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.
Published: 2026-01-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The SAP Fiori App for Intercompany Balance Reconciliation fails to perform the required authorization checks for an authenticated user, allowing that user to climb privileges and access data or functions beyond their intended rights. This flaw corresponds to CWE‑862: Missing Authorization and can compromise both confidentiality and integrity of the application’s data, while availability remains unaffected. Based on the description, the attacker must already have authenticated credentials, so the vulnerability is exploitable within the context of a legitimate user account.

Affected Systems

The affected product is the SAP Fiori App (Intercompany Balance Reconciliation) from SAP SE. No additional vendor or version details are supplied in the current data, so any installation of this application is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is classified as high severity. The EPSS score is < 1%, indicating a low current probability of exploitation, and the issue is not listed in CISA’s KEV catalog. However, because the flaw can be triggered by any authenticated user without additional preconditions, the risk remains significant for systems where privileged or broad authorizations are assigned. The lack of explicit remote access prerequisites suggests that the attack vector is local or within the authenticated user’s session.

Generated by OpenCVE AI on April 18, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3565506 or the latest SAP Security Patch Day update to enforce proper authorization checks.
  • If a patch is not yet available, restrict or remove the Intercompany Balance Reconciliation role from users who do not require it, thereby limiting the exposure of the vulnerability.
  • Continuously monitor audit logs for unauthorized changes in user privileges or unexpected access patterns, and review role assignments regularly to ensure least‑privilege principles are maintained.

Generated by OpenCVE AI on April 18, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap fiori
Vendors & Products Sap
Sap fiori

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.
Title Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Sap Fiori
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-26T15:04:48.349Z

Reserved: 2025-12-09T22:06:50.036Z

Link: CVE-2026-0511

cve-icon Vulnrichment

Updated: 2026-01-13T17:45:54.772Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:53.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses