Description
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
Published: 2026-02-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This vulnerability is caused by an uncontrolled resource consumption flaw within a remote‑enabled function module. An authenticated user with normal privileges can repeatedly call the module with an overly large loop‑control parameter, forcing a long‑running loop that consumes significant CPU and memory resources. The result is a denial‑of‑service condition that makes the affected SAP Supply Chain Management system unavailable, while confidentiality and integrity of data remain unaffected.

Affected Systems

The flaw affects SAP Supply Chain Management products across versions 700 through 714, and also impacts Advanced Planning and Optimization versions 713 and 714. Authorized users with network access to the affected systems are able to trigger the vulnerability.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication, meaning that the attack surface is limited to users who already have legitimate system access. Nonetheless, once enabled, the attack can render the system unusable.

Generated by OpenCVE AI on April 18, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP Security Patch Day hotfix referenced in SAP Note 3703092 to update all affected SAP Supply Chain Management and Advanced Planning and Optimization components.
  • Limit the exposure of the vulnerable remote‑enabled function module by restricting its use to privileged roles or disabling it for non‑essential users.
  • Monitor CPU and memory usage for abnormal spikes, and configure alerts to detect and respond to prolonged loop execution that could indicate exploitation.

Generated by OpenCVE AI on April 18, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap advanced Planning And Optimization
Weaknesses CWE-770
CPEs cpe:2.3:a:sap:advanced_planning_and_optimization:713:*:*:*:*:*:*:*
cpe:2.3:a:sap:advanced_planning_and_optimization:714:*:*:*:*:*:*:*
cpe:2.3:a:sap:supply_chain_management:700:*:*:*:*:*:*:*
cpe:2.3:a:sap:supply_chain_management:701:*:*:*:*:*:*:*
cpe:2.3:a:sap:supply_chain_management:702:*:*:*:*:*:*:*
cpe:2.3:a:sap:supply_chain_management:712:*:*:*:*:*:*:*
Vendors & Products Sap advanced Planning And Optimization

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap supply Chain Management
Vendors & Products Sap
Sap supply Chain Management

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
Title Denial of service (DOS) in SAP Supply Chain Management
Weaknesses CWE-606
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Sap Advanced Planning And Optimization Supply Chain Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-27T14:27:50.545Z

Reserved: 2026-01-14T18:26:17.297Z

Link: CVE-2026-23689

cve-icon Vulnrichment

Updated: 2026-02-10T17:18:09.866Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:03.500

Modified: 2026-02-17T15:57:04.273

Link: CVE-2026-23689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses