CVE-2026-23687 - Vulnerability Details

- XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.

Published: 2026-02-10

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SAP NetWeaver Application Server ABAP and ABAP Platform contain an XML Signature Wrapping flaw that allows an authenticated user with normal privileges to capture a valid signed message, alter it, and send the tampered XML to the verifier. Once accepted, the modified identity information may be used to gain unauthorized access to sensitive data or disrupt normal business processes. The weakness is a classic case of XML signature manipulation and can compromise confidentiality, integrity, and availability of the application.

Affected Systems

The issue affects all SAP Basis releases from 700 to 918 inclusive as listed by the CNA, covering a broad range of SAP NetWeaver ABAP environments. Any system that stores or validates XML signatures within its ABAP platform is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score shows a very low current likelihood of exploitation. The flaw is not present in CISA’s KEV catalogue, implying no confirmed exploits yet. Because the attacker must already be authenticated, the threat requires user credentials but does not need additional privileges beyond normal access. The attack vector is likely to be internal exploitation through legitimate user activity, making the vulnerability plausible in environments with weak internal controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP NetWeaver AS ABAP and ABAP Platform

unaffected

Version	Status	Constraints
`SAP_BASIS 700`	affected	—
`SAP_BASIS 701`	affected	—
`SAP_BASIS 702`	affected	—
`SAP_BASIS 731`	affected	—
`SAP_BASIS 740`	affected	—
`SAP_BASIS 750`	affected	—
`SAP_BASIS 751`	affected	—
`SAP_BASIS 752`	affected	—
`SAP_BASIS 753`	affected	—
`SAP_BASIS 754`	affected	—
`SAP_BASIS 755`	affected	—
`SAP_BASIS 756`	affected	—
`SAP_BASIS 757`	affected	—
`SAP_BASIS 758`	affected	—
`SAP_BASIS 804`	affected	—
`SAP_BASIS 816`	affected	—
`SAP_BASIS 916`	affected	—
`SAP_BASIS 917`	affected	—
`SAP_BASIS 918`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:sap_basis:700:::::::*
	cpe:2.3:a:sap:sap_basis:701:::::::*
	cpe:2.3:a:sap:sap_basis:702:::::::*
	cpe:2.3:a:sap:sap_basis:731:::::::*
	cpe:2.3:a:sap:sap_basis:740:::::::*
	cpe:2.3:a:sap:sap_basis:750:::::::*
	cpe:2.3:a:sap:sap_basis:751:::::::*
	cpe:2.3:a:sap:sap_basis:752:::::::*
	cpe:2.3:a:sap:sap_basis:753:::::::*
	cpe:2.3:a:sap:sap_basis:754:::::::*
	cpe:2.3:a:sap:sap_basis:755:::::::*
	cpe:2.3:a:sap:sap_basis:756:::::::*
	cpe:2.3:a:sap:sap_basis:757:::::::*
	cpe:2.3:a:sap:sap_basis:758:::::::*
	cpe:2.3:a:sap:sap_basis:804:::::::*
	cpe:2.3:a:sap:sap_basis:916:::::::*
	cpe:2.3:a:sap:sap_basis:917:::::::*
	cpe:2.3:a:sap:sap_basis:918:::::::*

No data.

Vendor Product Confidence Versions

Sap Se

Sap Netweaver And Abap Platform

—

Version	Status	Scheme	Platform
`SAP_BASIS 700`	affected	generic	—
`SAP_BASIS 701`	affected	generic	—
`SAP_BASIS 702`	affected	generic	—
`SAP_BASIS 731`	affected	generic	—
`SAP_BASIS 740`	affected	generic	—
`SAP_BASIS 750`	affected	generic	—
`SAP_BASIS 751`	affected	generic	—
`SAP_BASIS 752`	affected	generic	—
`SAP_BASIS 753`	affected	generic	—
`SAP_BASIS 754`	affected	generic	—
`SAP_BASIS 755`	affected	generic	—
`SAP_BASIS 756`	affected	generic	—
`SAP_BASIS 757`	affected	generic	—
`SAP_BASIS 758`	affected	generic	—
`SAP_BASIS 804`	affected	generic	—
`SAP_BASIS 816`	affected	generic	—
`SAP_BASIS 916`	affected	generic	—
`SAP_BASIS 917`	affected	generic	—
`SAP_BASIS 918`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the SAP Security Note 3697567 to update the SAP NetWeaver ABAP platform to the latest patch level.
Configure the system to enforce strict XML signature validation, ensuring that canonicalization is used and that no signature wrapping is permitted.
Restrict access to XML documents that carry signed content to authorized roles and monitor audit logs for any unauthorized signature alterations.

Generated by OpenCVE AI on April 18, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://me.sap.com/notes/3697567
https://url.sap/sapsecuritypatchday

History

Tue, 17 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap sap Basis
CPEs		cpe:2.3:a:sap:sap_basis:700:::::::* cpe:2.3:a:sap:sap_basis:701:::::::* cpe:2.3:a:sap:sap_basis:702:::::::* cpe:2.3:a:sap:sap_basis:731:::::::* cpe:2.3:a:sap:sap_basis:740:::::::* cpe:2.3:a:sap:sap_basis:750:::::::* cpe:2.3:a:sap:sap_basis:751:::::::* cpe:2.3:a:sap:sap_basis:752:::::::* cpe:2.3:a:sap:sap_basis:753:::::::* cpe:2.3:a:sap:sap_basis:754:::::::* cpe:2.3:a:sap:sap_basis:755:::::::* cpe:2.3:a:sap:sap_basis:756:::::::* cpe:2.3:a:sap:sap_basis:757:::::::* cpe:2.3:a:sap:sap_basis:758:::::::* cpe:2.3:a:sap:sap_basis:804:::::::* cpe:2.3:a:sap:sap_basis:916:::::::* cpe:2.3:a:sap:sap_basis:917:::::::* cpe:2.3:a:sap:sap_basis:918:::::::*
Vendors & Products		Sap Sap sap Basis

Wed, 11 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Netweaver And Abap Platform
Vendors & Products		Sap Se Sap Se sap Netweaver And Abap Platform

Tue, 10 Feb 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.
Title		XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform
Weaknesses		CWE-347
References		https://me.sap.com/notes/3697567 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Sap Sap Basis

Sap Se Sap Netweaver And Abap Platform

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-10T03:02:47.674Z

Updated: 2026-02-26T15:04:13.585Z

Reserved: 2026-01-14T18:26:17.297Z

Link: CVE-2026-23687

Vulnrichment

Updated: 2026-02-10T20:15:21.782Z

NVD

Status : Analyzed

Published: 2026-02-10T04:16:03.180

Modified: 2026-02-17T16:12:35.840

Link: CVE-2026-23687

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses

CWE-347

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object