CVE-2026-24322 - Vulnerability Details

- Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

Description

SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.

Published: 2026-02-10

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a function module that fails to perform correct authorization checks after a user authenticates. Because the module grants access to sensitive data, an attacker can extract confidential information without compromising integrity or availability. This flaw is categorized as CWE‑862 and delivers a high confidentiality impact.

Affected Systems

Affected products include SAP Solution Tools Plug‑In (ST‑PI) versions 2008_1_700, 2008_1_710, 740, and 758. These releases are distributed by SAP and are identified by the corresponding CPE strings listed in the vulnerability record.

Risk and Exploitability

The CVSS score of 7.7 indicates significant risk. The EPSS score of less than 1 % suggests low current exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack path requires an authenticated session; once logged in, an attacker can invoke the exposed function module to read sensitive data. No additional prerequisites are described, so the flaw is potentially exploitable by any user who can authenticate to the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP Solution Tools Plug-In (ST-PI)

unaffected

Version	Status	Constraints
`ST-PI 2008_1_700`	affected	—
`2008_1_710`	affected	—
`740`	affected	—
`758`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:solution_tools_plug-in:740:::::::*
	cpe:2.3:a:sap:solution_tools_plug-in:758:::::::*
	cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:::::::*
	cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:::::::*

No data.

Vendor Product Confidence Versions

Sap Se

Sap Solution Tools Plug-in (st-pi)

—

Version	Status	Scheme	Platform
`ST-PI 2008_1_700`	affected	generic	—
`2008_1_710`	affected	generic	—
`740`	affected	generic	—
`758`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply SAP Note 3705882 to update ST‑PI and integrate the missing authorization checks.
Disable or block the vulnerable function module until the patch is in place, for example by removing the user authorization key or excluding the module from active workflows.
Review and tighten role and authorization definitions so that only necessary users can invoke the plug‑in, limiting potential exposure.

Generated by OpenCVE AI on April 17, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3705882
https://url.sap/sapsecuritypatchday

History

Tue, 17 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap solution Tools Plug-in
CPEs		cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:::::::* cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:::::::* cpe:2.3:a:sap:solution_tools_plug-in:740:::::::* cpe:2.3:a:sap:solution_tools_plug-in:758:::::::*
Vendors & Products		Sap Sap solution Tools Plug-in

Tue, 10 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Solution Tools Plug-in (st-pi)
Vendors & Products		Sap Se Sap Se sap Solution Tools Plug-in (st-pi)

Tue, 10 Feb 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.
Title		Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
Weaknesses		CWE-862
References		https://me.sap.com/notes/3705882 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Sap Solution Tools Plug-in

Sap Se Sap Solution Tools Plug-in (st-pi)

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-10T03:04:01.992Z

Updated: 2026-02-10T17:00:38.519Z

Reserved: 2026-01-21T22:15:36.672Z

Link: CVE-2026-24322

Vulnrichment

Updated: 2026-02-10T17:00:33.348Z

NVD

Status : Analyzed

Published: 2026-02-10T04:16:04.307

Modified: 2026-02-17T15:23:50.653

Link: CVE-2026-24322

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object