Description
Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality.
Published: 2026-03-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of database configuration leading to degraded performance
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a missing authorization check in SAP NetWeaver Application Server for ABAP, allowing an authenticated user to invoke a specific ABAP function module that can read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized modification can reduce system performance or cause interruptions, representing a low impact on integrity and availability, with no effect on confidentiality.

Affected Systems

SAP NetWeaver Application Server for ABAP. No specific product versions are listed in the CNA data, so the vulnerability may affect all currently supported releases of this product.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as medium severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of reporting. The vulnerability is not listed in the CISA KEV catalog. Attacks require legitimate user credentials; therefore, the attack vector is internal or authenticated. An attacker with appropriate access could alter configuration tables, potentially degrading performance or interrupting services, but the scope is limited to the affected system.

Generated by OpenCVE AI on April 16, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in SAP Note 3703856 (SAP Security Patch Day) to add the missing authorization check.
  • Review and restrict ABAP Function Module access by examining role assignments and ensuring that only authorized users have permission to execute the affected module.
  • Monitor system logs and database configuration tables for unauthorized changes and establish alerts for suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap netweaver Application Server For Abap
Vendors & Products Sap
Sap netweaver Application Server For Abap

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality.
Title Missing Authorization check in SAP NetWeaver Application Server for ABAP
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Sap Netweaver Application Server For Abap
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:53:39.013Z

Reserved: 2026-01-21T22:15:25.360Z

Link: CVE-2026-24309

cve-icon Vulnrichment

Updated: 2026-03-10T15:36:14.514Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:35:54.963

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-24309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses