Description
SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.
Published: 2026-03-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery (SSRF)
Action: Apply Patch
AI Analysis

Impact

SAP NetWeaver Application Server for ABAP contains an ABAP report that can send HTTP requests to arbitrary internal or external endpoints. The report unintentionally exposes a Server‑Side Request Forgery vulnerability, which could allow an attacker to query sensitive internal services. The impact is limited to potential disclosure of confidential data through internal traffic; there is no effect on data integrity or application availability.

Affected Systems

SAP NetWeaver Application Server for ABAP is the affected product. No specific versions are listed in the CNA data, so all releases of this product are considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is 6.4, indicating a moderate severity, and the EPSS score is less than 1 %, suggesting a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an authenticated or publicly exposed ABAP report endpoint that accepts arbitrary URLs. Successful exploitation would allow remote interaction with internal endpoints but would not compromise the availability of the application.

Generated by OpenCVE AI on April 16, 2026 at 09:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SAP NetWeaver Application Server for ABAP patch or update to a version that removes the vulnerable report feature
  • Disable or restrict access to the ABAP report used for testing by implementing transport restrictions or role assignment
  • Monitor network traffic for unexpected outbound HTTP requests from the application server to detect potential SSRF attempts

Generated by OpenCVE AI on April 16, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap netweaver Application Server For Abap
Vendors & Products Sap
Sap netweaver Application Server For Abap

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.
Title Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Netweaver Application Server For Abap
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:53:14.123Z

Reserved: 2026-01-21T22:15:25.361Z

Link: CVE-2026-24316

cve-icon Vulnrichment

Updated: 2026-03-10T15:36:08.024Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:35:55.860

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-24316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses