Description
Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.
Published: 2026-04-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized OS file deletion and manipulation
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in SAP S/4HANA (Private Cloud and On‑Premise) permits an authenticated user to delete files on the underlying operating system and perform other file‑related operations. The flaw does not affect data confidentiality, has a low impact on integrity, and a low impact on application availability.

Affected Systems

The vulnerability applies to SAP SE’s SAP S/4HANA deployments, both private cloud and on‑premise. Specific affected product versions are not disclosed in the CVE data; the fix is referenced by SAP Note 3703813.

Risk and Exploitability

The CVSS score of 4.9 indicates low severity, and the EPSS score is unavailable while the vulnerability is not listed in the CISA KEV catalog. The attack requires a valid authenticated session; an attacker with user credentials can exploit the missing check to delete or modify operating system files, potentially disrupting system integrity or availability. The overall risk remains low, but the lack of confidentiality compromise limits immediate exposure.

Generated by OpenCVE AI on April 14, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SAP S/4HANA to the latest version that includes the fix from SAP Note 3703813.
  • Apply the updates released in the SAP Security Patch Day advisory.
  • Verify that the patch is deployed in both private cloud and on‑premise instances.
  • Enforce least‑privilege permissions for user accounts to restrict file system operations.
  • Monitor the file system for unexpected deletions or modifications.

Generated by OpenCVE AI on April 14, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap s/4hana
Vendors & Products Sap
Sap s/4hana

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.
Title Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Sap S/4hana
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:19.040Z

Reserved: 2026-02-23T17:50:10.513Z

Link: CVE-2026-27673

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:22.884Z

cve-icon NVD

Status : Received

Published: 2026-04-14T00:16:05.477

Modified: 2026-04-14T00:16:05.477

Link: CVE-2026-27673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:30Z

Weaknesses