CVE-2026-24314 - Vulnerability Details

- Information Disclosure vulnerability in S/4HANA (Manage Payment Media)

Description

Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted.

Published: 2026-02-24

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated SAP S/4HANA user to read restricted payment media information that should otherwise be protected. This results in a small confidentiality disclosure to the attacker, with no impact on data integrity or availability. The weakness is categorized as CWE-497, reflecting improper authorization control.

Affected Systems

SAP S/4HANA (Manage Payment Media) versions 600 through 902, as well as SAP S/4HANA UI for SAP HANA 109, are affected according to the Common Platform Enumeration entries. Only installations running these specific release levels without the vendor patch are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates low overall risk, and the EPSS score of less than 1% suggests that exploitation attempts are very unlikely at present. Because the vulnerability requires a valid authenticated session, an attacker would need to compromise or obtain credentials for a legitimate user. The vulnerability is not listed in the CISA KEV catalog, further indicating lower threat priority, but patching remains recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

S/4HANA (Manage Payment Media)

unaffected

Version	Status	Constraints
`UIAPFI70 600`	affected	—
`700`	affected	—
`800`	affected	—
`900`	affected	—
`901`	affected	—
`902`	affected	—
`UIS4H 109`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:s\/4hana_uiapfi70:600:::::::*
	cpe:2.3:a:sap:s\/4hana_uiapfi70:700:::::::*
	cpe:2.3:a:sap:s\/4hana_uiapfi70:800:::::::*
	cpe:2.3:a:sap:s\/4hana_uiapfi70:900:::::::*
	cpe:2.3:a:sap:s\/4hana_uiapfi70:901:::::::*
	cpe:2.3:a:sap:s\/4hana_uiapfi70:902:::::::*
	cpe:2.3:a:sap:s\/4hana_uis4h:109:::::::*

No data.

Vendor Product Confidence Versions

Sap Se

S/4hana (manage Payment Media)

100%

Version	Status	Scheme	Platform
`UIAPFI70 600`	affected	generic	—
`700`	affected	generic	—
`800`	affected	generic	—
`900`	affected	generic	—
`901`	affected	generic	—
`902`	affected	generic	—
`UIS4H 109`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official SAP security patch as described in SAP Note 3646297 or the SAP Security Patch Day update.
Restrict access to the Manage Payment Media application to only users with the appropriate authorization roles, ensuring that unauthorized accounts cannot authenticate to the feature.
Monitor application logs for attempts to access restricted payment media data and investigate any anomalies.

Generated by OpenCVE AI on April 17, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3646297
https://url.sap/sapsecuritypatchday

History

Tue, 03 Mar 2026 00:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap s\/4hana Uiapfi70 Sap s\/4hana Uis4h
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:sap:s\/4hana_uiapfi70:600:::::::* cpe:2.3:a:sap:s\/4hana_uiapfi70:700:::::::* cpe:2.3:a:sap:s\/4hana_uiapfi70:800:::::::* cpe:2.3:a:sap:s\/4hana_uiapfi70:900:::::::* cpe:2.3:a:sap:s\/4hana_uiapfi70:901:::::::* cpe:2.3:a:sap:s\/4hana_uiapfi70:902:::::::* cpe:2.3:a:sap:s\/4hana_uis4h:109:::::::*
Vendors & Products		Sap Sap s\/4hana Uiapfi70 Sap s\/4hana Uis4h

Wed, 25 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se s/4hana (manage Payment Media)
Vendors & Products		Sap Se Sap Se s/4hana (manage Payment Media)

Tue, 24 Feb 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted.
Title		Information Disclosure vulnerability in S/4HANA (Manage Payment Media)
Weaknesses		CWE-497
References		https://me.sap.com/notes/3646297 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Sap S\/4hana Uiapfi70 S\/4hana Uis4h

Sap Se S/4hana (manage Payment Media)

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-24T05:23:52.911Z

Updated: 2026-02-24T16:44:18.533Z

Reserved: 2026-01-21T22:15:25.361Z

Link: CVE-2026-24314

Vulnrichment

Updated: 2026-02-24T16:44:11.718Z

NVD

Status : Analyzed

Published: 2026-02-24T06:16:35.270

Modified: 2026-03-03T00:28:43.917

Link: CVE-2026-24314

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object