Description
Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.
Published: 2026-04-14
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Session Token Reuse
Action: Patch
AI Analysis

Impact

The vulnerability arises from insecure session management in SAP BusinessObjects Business Intelligence Platform. An unauthenticated attacker can acquire valid session tokens and replay them to gain unauthorized access to a victim's session. This allows the attacker to access or modify data within the victim’s session scope, compromising confidentiality and integrity. Availability is unaffected.

Affected Systems

The affected product is SAP BusinessObjects Business Intelligence Platform. No specific version information is provided in the CNA data, so the vulnerability may apply to any supported release of the platform until the SAP security patch is applied.

Risk and Exploitability

The CVSS score of 4.2 indicates a moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack could be performed over the network via the web application interface, allowing an attacker to obtain session tokens and replay them. The lack of token invalidation after authentication provides the necessary precondition for exploitation.

Generated by OpenCVE AI on April 14, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3702191.
  • Confirm that session tokens are invalidated immediately after authentication to prevent reuse.
  • Verify that the application no longer accepts previously issued session tokens.

Generated by OpenCVE AI on April 14, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Business Objects Business Intelligence Platform
Vendors & Products Sap Se
Sap Se sap Business Objects Business Intelligence Platform

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.
Title Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform
Weaknesses CWE-539
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Sap Se Sap Business Objects Business Intelligence Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:19.302Z

Reserved: 2026-01-21T22:15:25.361Z

Link: CVE-2026-24318

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:26.872Z

cve-icon NVD

Status : Received

Published: 2026-04-14T00:16:04.913

Modified: 2026-04-14T00:16:04.913

Link: CVE-2026-24318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:32Z

Weaknesses