Description
Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability.
Published: 2026-03-10
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Limited Confidentiality Exposure via Missing Authorization Check
Action: Assess Impact
AI Analysis

Impact

A missing authorization check in SAP NetWeaver Application Server for ABAP allows an authenticated attacker to execute a specific ABAP function module that reads sensitive information from the database catalog. While the vulnerability does not affect integrity or availability, it permits read‑only access to sensitive data, resulting in a low confidentiality impact.

Affected Systems

The affected product is SAP NetWeaver Application Server for ABAP. No specific version information is provided in the advisory; the issue applies to all releases of this product until the fix is applied.

Risk and Exploitability

The CVSS score of 3.5 reflects low severity, and the EPSS score is below 1%, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reducing urgency. An attacker must be authenticated, so the attack vector requires valid user credentials. The risk is therefore limited to users with legitimate access rights, who could exploit the missing check to read the database catalog.

Generated by OpenCVE AI on April 16, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security update referenced in SAP Note 3694383 or the latest SAP NetWeaver release that includes the authorization check fix.
  • Implement least‑privilege authorization policies and restrict user permissions for executing the affected ABAP function module.
  • Audit logs for execution of the vulnerable function module and verify that the database catalog is accessed only by authorized personnel.

Generated by OpenCVE AI on April 16, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap netweaver Application Server For Abap
Vendors & Products Sap
Sap netweaver Application Server For Abap

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability.
Title Missing Authorization check in SAP NetWeaver Application Server for ABAP
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Sap Netweaver Application Server For Abap
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:53:32.884Z

Reserved: 2026-01-21T22:15:25.360Z

Link: CVE-2026-24310

cve-icon Vulnrichment

Updated: 2026-03-10T15:36:12.436Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:35:55.180

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-24310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses